From: guy@theporch.raider.net (Jonathan Guy)
Date: Wed, 11 Aug 93 01:56:52 PDT
To: karn@qualcomm.com (Phil Karn)
Subject: Re: Secure voice software issues
In-Reply-To: <9308100259.AA24433@servo>
Message-ID: <m0oQB7m-0009UVC@theporch.raider.net>
MIME-Version: 1.0
Content-Type: text/plain


> I agree that RSA public keys could be exchanged as needed during the
> call, although this might require a few iterations before a party gets
> a signature that it can trust. Finding a path through the PGP "web of

To me at least this seems unimportant for the application.  If all you're
doing is exchanging session keys over the phone, it doesn't really matter if
you are sure that the public key actually belongs to who it claims it does,
only that the person you're talking to (who you presumably already know)
actually possesses the corresponding private key.  This can be verified with
a simple challenge-response system.  The identity problem is removed if you
use a different key pair for phone conversations than you do for signature
purposes... there doesn't need to be any information actually connecting the
key with you.

-- 
Jonathan R. Guy                    |  The opinions expressed above are not  
E-Mail: guy@theporch.raider.net    |     those of my employer.  Nor are
Snail:  P.O. Box 158325            |  they my own.  Actually, I copied them  
        Nashville, TN 37215        |        from the encyclopedia.