At 05:45 PM 11/20/2003 -0800, Bill Frantz wrote:
At 4:40 PM -0800 11/20/03, Ralf-P. Weinmann wrote:
>... There should be a means to cache credentials after an initial
>trust relationship between communicating parties has been established.
Cache entries would be a way for someone who obtains the phone to be able
to trace your contacts. (So would a in-phone address book.) Automatic
authentication also might make it easier to spoof the phone's owner.
If you've got an in-phone address book, might as well
let the user cache some randomly-generated password string with it.
That doesn't protect you against someone stealing the phone,
but it means you've got an authentic connection to your co-conspirator's
stolen phone rather than to somebody else's phone.
If your threat model assumes that they can trick your phone into
doing things, you're already toast anyway.
If you're worried that Interpol will subpoena your phone
and show that the "Alice" and "Bob" passwords in your phone
correspond to Alice the Narc and Bob, your prisoner's-dilemma
ex-co-conspirator who's busy ratting you out,
they can probably do the same thing just from the phone numbers
(IP or otherwise.)
