On Tue, Nov 08, 2005 at 12:02:03PM +0000, Brian Candler wrote: > The attacker doesn't have your private key, so they would create their own > key pair. As a result, the connecting client would see a *different* key > than the one they would see if they connect to your server directly. The > problem is, they have no way of telling which key is the one which belongs > to you, and which one is the one which belongs to the attacker.
Like many here; I've met Nick, and he gave me his key details in person. That makes me plenty insulated from a man in the middle attack. That's how PGP works. > If the client knows you personally, they can phone you up and ask for you to > read the key fingerprint over the phone, or fax it to them. That doesn't > scale very well. No, but it is a lot closer to an actual trust relationship. Trust doesn't scale. I mean, how many people do you trust? > So generally the client has to rely on a third-party to sign the key; That's the part a lot of us don't consider trustworthy. -- Colm MacCárthaigh Public Key: [EMAIL PROTECTED]
