On Tue, Mar 11, 2014 at 10:33 AM, Daniel Kahn Gillmor <[email protected] > wrote:
> This use case still a real security issue, and i haven't heard a > plausible answer yet about how SAS can be used to verify a web server's > key without introducing a number of troubling vulnerabilities. To flip the question around: are key fingerprints / TOFU a good way to verify a server's identity? I personally don't think so -- Tony Arcieri
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
