On Sun, Sep 29, 2013 at 8:57 AM, Michael Rogers <mich...@briarproject.org> wrote: > > We're also planning to support introductions through mutually trusted > third parties. [...] > Alice and Carol must trust Bob not to MITM the key exchange.
It'd be nice if Alice and Carol could use some additional, out-of-band channel to authenticate the ephemeral DH exchange. Best I can think of are short auth strings (SAS), public-key fingerprints (if you added long-term "identity keys"), and PAKE. The tradeoffs are something like: * Key fingerprints and SAS are non-secret (unlike PAKE passwords) * SAS and PAKE can use short strings of several chars (unlike fingerprints) * Fingerprints can be exchanged before *or* after the ephemeral DH handshake (unlike PAKE passwords or SAS) * Fingerprints can be confirmed with 3rd parties or public records (unlike PAKE passwords or SAS) * Fingerprints and PAKE can be compatible with a single, unordered handshake exchange of ephemeral DH values, unlike SAS Trevor _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
