1997-12-08 - Re: WoT discussions, Trust for Nyms
Header Data
From: “Arnold G. Reinhold” <reinhold@world.std.com>
To: Adam Back <smith@securecomputing.com
Message Hash: bf69d4310ab3e0af9f31950b78032ea8807277f5b76fa72fafdfb281eba89636
Message ID: <v03110702b0b1db4cc9b3@[24.128.40.70]>
Reply To: <v03007800b0ae121c8f4c@[172.17.1.150]>
UTC Datetime: 1997-12-08 17:56:43 UTC
Raw Date: Tue, 9 Dec 1997 01:56:43 +0800
Raw message
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Date: Tue, 9 Dec 1997 01:56:43 +0800
To: Adam Back <smith@securecomputing.com
Subject: Re: WoT discussions, Trust for Nyms
In-Reply-To: <v03007800b0ae121c8f4c@[172.17.1.150]>
Message-ID: <v03110702b0b1db4cc9b3@[24.128.40.70]>
MIME-Version: 1.0
Content-Type: text/plain
At 12:06 AM +0000 12/6/97, Adam Back wrote:>
>
>Another lower bandwidth method of making the MITM's job harder is to
>sign and/or publish hashes of public key databases -- download the
>keys, or some useful easily definable subset of keys on keyservers,
>and publish the hash of them in as many media as possible (web,
>finger, news, mail, newspapers, etc.)
>
I have always felt this to be a nearly complete and practical answer to
MITM attacks. Frozen versions of major key databases would be made
available on the net along with a master list of hashes. The hash of that
master list would be widely distributed by electronic and non-electronic
means. One would only have to do it periodically, say every year or two.
Why can't this be done now?
A public billboards would be a good location to post the master hash. (I
like to call the whole approach the "Billboard defense.") I suspect one
could rent visible space on the back side of billboards quite cheaply.
Another good location would be on a bulletin board near a publicly
accessible library. The MIT "infinite corridor" comes to mind.
A variant is for PGP users to post their own fingerprint near their house
or place of business. A business-card-size sign in a window near the front
door would do. People who agree to post such signs would be identified in
the key server database. A suspicions John could then look up a suitable
public key holder in their area, visit their house, and verify the
fingerprint. John would then e-mail an encrypted request to verify a
suspect key to that person.
>Let's say John buys a book on cryptography, and the author included
>his fingerprint. Then John could use this person to authenticate a
>key with Alice. He could write to the author, including a nonce with
>the plaintext, and ask the author to check that the key he thought
>belonged to Alice really did belong to her.
>
My PGP fingerprint is printed on page 232 of E-mail for Dummies, 2nd
edition, IDG Books Worldwide, which I co-authored.
Arnold Reinhold
Thread
Return to December 1997
- Return to “Adam Back <aba@dcs.ex.ac.uk>”
- Return to ““Arnold G. Reinhold” <reinhold@world.std.com>”
- Return to “Bill Stewart <bill.stewart@pobox.com>”
- Return to ““James A. Donald” <jamesd@echeque.com>”
- Return to “nobody@REPLAY.COM (Anonymous)”
Return to “Rick Smith <smith@securecomputing.com>”
- 1997-12-05 (Fri, 5 Dec 1997 09:12:33 +0800) - Please Beta test my communications cryptography product. - “James A. Donald” <jamesd@echeque.com>
- 1997-12-05 (Fri, 5 Dec 1997 15:18:17 +0800) - No Subject - nobody@REPLAY.COM (Anonymous)
- 1997-12-05 (Sat, 6 Dec 1997 06:28:09 +0800) - Re: Please Beta test my communications cryptography product. - Rick Smith <smith@securecomputing.com>
- 1997-12-06 (Sat, 6 Dec 1997 08:14:23 +0800) - WoT discussions, Trust for Nyms - Adam Back <aba@dcs.ex.ac.uk>
- 1997-12-08 (Tue, 9 Dec 1997 01:56:43 +0800) - Re: WoT discussions, Trust for Nyms - “Arnold G. Reinhold” <reinhold@world.std.com>
- 1997-12-13 (Sat, 13 Dec 1997 11:20:55 +0800) - Kong Re: Please Beta test my communications cryptography product. - Bill Stewart <bill.stewart@pobox.com>