Mike McNally <m5@dev.tivoli.com> writes:
Don M. Kitchen writes:
If we are forced to exchange keys remotely, then perhaps some sort of "proof" techniques could be used to establish to some level of assurance that the remote entity I *think* is you is really you. Or
So who is Pr0duct Cypher then? And why should I have to produce ID saying my name is Don, unless I'm proving my Real Name[tm] is Don.
Right. If we're forced to exchange keys remotely, I just have to deal with the possibility that I'm being spoofed.
You could take out a personal ad in a newspaper and print this: 9D AF 6D 4D 8E 64 43 FC D5 CB 9C 7A 36 C7 6D B9 (Pr0duct Cypher's key fingerprint). That would mean that you could at least help Pr0duct Cypher determine if there was a man in the middle. If there was a MITM, once Pr0duct was aware of this, P.C. could make efforts to change service provider, or find novel entry points into public internet forums, and different entry points in to the remailer net. For the other direction, as a nym, if newspapers accepted anonymous personal ads, an ad posted from a large city postal mail to the newspaper, would be a reasonable assurance that the identity of the person would be unkown. Or you could try paper mailing some one your instructions with cash to pay for the advert. It is likely that a randomly picked cypherpunk would do this for a nym. You could even take out two simultaneous ads in two independent newspapers which were secret split in two with XOR and a random number, if you were really paranoid. Now the MITM is reduced to denial of service attacks, by posting similar keys, and saying "no that nym is an imposter I'm the real nym". Denial of service is preferable to a MITM. Adam