On 03/11/2014 01:26 PM, Tony Arcieri wrote: > On Tue, Mar 11, 2014 at 6:15 AM, Daniel Kahn Gillmor > <[email protected]>wrote: > >> Short Authentication Strings have potentially severe problems in >> anything other than a human→human synchronous communications >> environment > > This is the only use case of fingerprints I'm considering in this thread. > I'm not talking about their use by machines in e.g. cryptographic protocols
The dialog box image you linked to (http://i.imgur.com/2bEWKNS.png) is a joke about Internet Explorer, which is a classic example of human→machine interaction (the user of the web browser is trying to authenticate a remote machine, which is the web server), not human→human interaction. This use case still a real security issue, and i haven't heard a plausible answer yet about how SAS can be used to verify a web server's key without introducing a number of troubling vulnerabilities. Just because a SAS is useful for one case doesn't mean that exploring other problem spaces is "studying the wrong solution". --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
