On 2013-06-30, at 7:36 PM, James A. Donald <jam...@echeque.com> wrote:
> On 2013-07-01 8:55 AM, Nadim Kobeissi wrote: >> On 2013-06-30, at 3:44 AM, James A. Donald <jam...@echeque.com> >> wrote: >> >> >>> On 2013-06-30 5:13 PM, Danilo Gligoroski wrote: >>> >>>> This was expected. >>>> As Skype definitely ruined its reputation as free end-to-end application >>>> for >>>> secure communication, other products are taking their chances. >>>> >>>> "Agencies showing sudden interest in encrypted comm" --- >>>> >>>> http://gcn.com/blogs/cybereye/2013/06/agencies-sudden-interest-encrypted-com >>>> >>>> m.aspx >>>> >>>> >>> Silent Circle expects end users to manage their own keys, which is of >>> course the only way for end users to be genuinely secure. Everything else >>> is snake oil, or rapidly turns into snake oil in practice. (Yes, Cryptocat, >>> I am looking at you) >> You seem to be implying that Cryptocat does not manage keys on the end-user >> side. This is false � Cryptocat users do manage their own keys on the client >> side, in fact. > > > According to the paper, there are no long term public and private keys. ID > is therefore wholly username and password Ah, but there are no usernames and passwords either. Sessions are completely ephemeral. > Cryptocat does not currently store long-term key pairs (see x 9.2), need to > be generated, along with DSA pa-rameters, each time > the application is launched > Which of course does not make cryptocat inherently insecure, or fatally > flawed, but nonetheless, does not provide the security that would come from > users managing their own keys, But yes, long-term keys are worth investigating. NK > if ever we managed to provide an interface where users successfully managed > their own keys without screwing up. > > > > _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
