On Fri Aug 29 12:11:11 2008, Pedro Melo wrote:
Well, I have this thing called a roster, and some of them I already
have certified as being the person I expect them to be. And for
some of those, I actually trust their judgement. So why not asking
them if they know this person? And if yes, what's the signature
they know them by?
Hmmm. A protocol allowing me to discover if another jid is on your
roster?
Interesting concept.
There's two issues:
First off, if I'm in your roster, you might ask me about Dirk's
fingerprint - in which case, I know that you're talking to Dirk,
which is pretty awesome. We can shield this one by hashing the jid,
so I can then scan through my hashes-of-known-jids and at least only
know you're talking to Dirk if I previously have as well.
Second, if I reply with a fingerprint match, I'm verifying not only
the fingerprint, but that I, too, have spoken to Dirk and confirmed
him, so you can run away and tell everyone we're co-conspirators.
Dave.
--
Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
