From: "Perry E. Metzger" <pmetzger@lehman.com>
Date: Wed, 11 Aug 93 15:17:31 PDT
To: cypherpunks@toad.com
Subject: Re: Secure voice software issues
In-Reply-To: <9308112117.AA03868@servo>
Message-ID: <9308112213.AA03961@snark.shearson.com>
MIME-Version: 1.0
Content-Type: text/plain



Phil Karn says:
> >To me at least this seems unimportant for the application.  If all you're
> >doing is exchanging session keys over the phone, it doesn't really matter if
> >you are sure that the public key actually belongs to who it claims it does,
> 
> Well...yes. *If* you know the person you are talking to, then you can
> read off your session key (or preferably its hash) to guard against the
> man in the middle. But let's say you are being referred to someone who
> you don't already know (or you know them only by email, and have no idea
> what they sound like). You trust this person, but you can't depend on
> an oral challenge-response. The existing PGP web should be handy here.

I think that we are too casual about this -- Rich Little or someone
similar could easily impersonate your voice over a vocoder well enough
that unless I decided to do a "so, tell me about what we had for lunch
last week" routine you couldn't tell the difference. I think that even
if you DO know the other person verification is valuable -- especially
given the distortionary effects of vocoders.

Perry