On Thursday, October 2, 2014, Ben Laurie <[email protected]> wrote: > On 25 September 2014 09:48, Trevor Perrin <[email protected] <javascript:;>> > wrote: > The difference is that with CT the user whose key changes necessarily > becomes aware that it has changed. In "the simple thing?" only the > targeted user of the key is aware of this change. >
CT makes detecting key changes symmetric between the parties that intend to communicate. Traditional TOFU gives MitMs a *choice* of who to target. This makes things easier for adversaries in a lot of common situations. (E.g., impersonate the MBA to the crypto guy, or the crypto guy to the MBA?) It seems odd to argue that scheme A is better than scheme B because A > reduces the chance of detection of badness vs B and thus doesn't raise > the problem of what you do about that badness... > +1. I'd note, as well, that TOFU/pinning is not inherently incompatible with CT: TOFU could be used by the correspondents of someone who wants their public key to be secret, while they use CT to confirm others' keys. BTW, it seems to me that getting to the state where key changes are > rare would be useful in either case. This seems impossible without large investments in securing hardware. There's some secure-ish hardware available in the certificate case (a few HSMs). But for the messaging case, we don't even have that...
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
