I guess we have been considering injecting fake mappings as a serious attack. If the main trusted auth provider claims that Bill Gates' personal phone number should route to @matthew:matrix.org or xmpp:[email protected] or whatever, I will end up intercepting all of his messages... unless there is a solid reputation system either for auth providers or for the endpoints. This feels like a pretty big problem, if a single auth provider can be compromised or temporarily go rogue and start adding malicious mappings; hence looking for a way to try to keep folks honest.
-- Matthew Hodgson matrix.org > On 19 Aug 2015, at 20:01, [email protected] wrote: > > Hi, Matthew > > It seems that we can reduce power of auth provider. As we always rely on > SMS-gates for auth and they are already much more powerfull in this case. > Plus gate can only add fake numbers. What's a problem with it? > > For building secure we need more that only single auth provider. For securing > some accounts people can use 2FA. > > Steve. > > 19.08.2015, 19:53, "Matthew Hodgson" <[email protected]>: >> This is similar to the decentralised identity service ideas we've been >> experimenting with for Matrix. The problem we've hit (which I think this >> scheme suffers from too) is how you choose which auth providers to trust, >> otherwise you end up un-decentralising the system as the defacto auth >> provider ends up with way too much power. Do you consider this a problem? >> >> We've been looking at using something like the stellar consensus protocol to >> propagate trust/reputation between the auth providers - or limiting >> ourselves to email and piggybacking on top of DKIM like webfist/webfinger. >> >> p.s. does anyone know how dead/alive webfist is, and whether/why it failed? >> >> -- >> Matthew Hodgson >> matrix.org >> >>> On 19 Aug 2015, at 17:26, [email protected] wrote: >>> >>> Hello everyone! >>> >>> Just finished small article about one idea of secure contact discovery: >>> https://medium.com/@ex3ndr/encrypted-public-contact-discovery-95cfa0a0f6c7 >>> >>> Steve. >>> _______________________________________________ >>> Messaging mailing list >>> [email protected] >>> https://moderncrypto.org/mailman/listinfo/messaging _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
