On 10/02/2014 06:33 AM, David Leon Gil wrote: > > CT makes detecting key changes symmetric between the parties that intend > to communicate. > > Traditional TOFU gives MitMs a *choice* of who to target. This makes > things easier for adversaries in a lot of common situations. (E.g., > impersonate the MBA to the crypto guy, or the crypto guy to the MBA?)
I don't see where the symmetry comes from. In a scenario where only one party knows what a key is and has decided to opt into key change notifications, I believe an intercept is possible in either world? I think the only difference between the two worlds is whether what you *send* or what you *receive* can be intercepted, and whether you're notified in real time (before the MITM is successful) or after the fact (after the MITM is successful). I think the point of both worlds is really just that the person doing the intercept is taking a risk, since they won't know whether the participants have opted into key change notifications or not. But in neither world can a participant really "prove" anything to anyone else if the attacker takes the risk and bets wrong. - moxie -- http://www.thoughtcrime.org _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
