> On Apr 21, 2016, at 11:10 AM, Frederic Jacobs <[email protected]> > wrote:
> Interestingly, I think they are performing the authentication over an > un-authenticated channel. It is my understanding that the "secret > identification” is not tied to the authentication of the WebRTC session. > > I think that SilentCircle has a more elegant solution when it comes to > integrating two different authentication mechanisms (one for voice and one > for messaging). > They add the ZINA's (their ratchet) identity key in the ZRTP confirm packet, > so it’s part of the SAS that is verified on calls. It’s nice because SAS are > shorter than key fingerprints and yet reasonably secure. Thanks for sharing this Frederic. I’ll have to take a closer look at SilentCircle. It would be good to know if users can habituate to avoid reading the SAS. _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
