From: “Perry E. Metzger” <pmetzger@lehman.com>
To: cypherpunks@toad.com
Message Hash: 4c87ea96ddc1f10df13e601b4304047c69e55f7aac405b80360133abf4e04c1a
Message ID: <9308112213.AA03961@snark.shearson.com>
Reply To: <9308112117.AA03868@servo>
UTC Datetime: 1993-08-11 22:17:31 UTC
Raw Date: Wed, 11 Aug 93 15:17:31 PDT
From: "Perry E. Metzger" <pmetzger@lehman.com>
Date: Wed, 11 Aug 93 15:17:31 PDT
To: cypherpunks@toad.com
Subject: Re: Secure voice software issues
In-Reply-To: <9308112117.AA03868@servo>
Message-ID: <9308112213.AA03961@snark.shearson.com>
MIME-Version: 1.0
Content-Type: text/plain
Phil Karn says:
> >To me at least this seems unimportant for the application. If all you're
> >doing is exchanging session keys over the phone, it doesn't really matter if
> >you are sure that the public key actually belongs to who it claims it does,
>
> Well...yes. *If* you know the person you are talking to, then you can
> read off your session key (or preferably its hash) to guard against the
> man in the middle. But let's say you are being referred to someone who
> you don't already know (or you know them only by email, and have no idea
> what they sound like). You trust this person, but you can't depend on
> an oral challenge-response. The existing PGP web should be handy here.
I think that we are too casual about this -- Rich Little or someone
similar could easily impersonate your voice over a vocoder well enough
that unless I decided to do a "so, tell me about what we had for lunch
last week" routine you couldn't tell the difference. I think that even
if you DO know the other person verification is valuable -- especially
given the distortionary effects of vocoders.
Perry
Return to August 1993
Return to “thug@phantom.com (Murdering Thug)”