This discussion can be divided into two separate situations. The first of which is exemplified perfectly by Hal: hfinney@shell.portal.com writes:
m5@dev.tivoli.com (Mike McNally) writes:
hfinney@shell.portal.com writes:
This situation with the MITM is actually about the same as if you were communicating insecurely in the first place. You are exposed to all of the same risks.
The only way to achieve the level of security offered by physical face to face communication with a person is to have a physical face to face conversation at some point. If you only ever communicate via electronic means, you are always subject to the risk of dealing with a synthetic entity. (I think.)
I don't think so, or at least the risk can be minimized much more than in the model where we just say that we're communicating with keys, therefore a MITM is perfectly legitimate because it's just a matter of who holds the keys. Suppose I want to talk to PC Magazine columnist John Dvorak. Suppose I find a VeriSign certificate for his key, with his name and employment information. I've never met him. We've never had a face to face conversation. Yet I claim I can communicate with considerable security with Dvorak using this certificate, certainly more than if I just use any old key which is lying around with his name on it, one which may be owned by a MITM.
Here the wish is to communicate with a 'real' person. A person that actually exists and has an in-built reputation that is separate from his key. This is very much a real life situation and is very similar to the first time that you meet someone - it is very hard to know that someone is who they say that they are, few people ask for ID and even ID is possible to fake (an old key that is actually owned by a MITM). In this case the person is known (of) and not the key - therefore it makes sense to attempt to ensure that the link between the key and the person is a strong (trustworthy) as possible. However this is not the case in the second situation: I could say that know that I enjoy reading mail from some people on the list, that I agree with some people on the list or that some people on the list hold very strong opinions on certain subjects. However this would not be correct as I have not met anyone else on the list in person (we do not all live in the US). It would be more correct to say that I enjoy reading mail from some addresses on the list (etc.) - I have no real idea whether hfinney@shell.portal.com is Hal or actually Tim expressing different views. If I mail Hal therefore I am actually mailing the entity that sends mail to the list from that address and I would do so being pretty sure that I was communicating with the person who mails here - but I would have no idea whether he is actually male, female, blond, brunette etc apart from what I chose to believe from others. Now mail is far easier to fake/intercept than a digital signature/encryption - at least I hope so. Therefore if Hal where to sign all of his messages I could check the signatures with a public key obtained from anywhere at all and if they passed then I could be confident that the messages were all written by the entity with control of the secret part of the key - at least far more confident than I am at all of the mail from hfinney@shell.portal.com actually comes from there. So instead of me getting the idea that hfinney@shell.portal.com posts interesting messages I get the idea that the holder of the secret key posts interesting messages - I would probably still use the mail address as keys are less convenient with current mail readers but that is an implementation problem. Hals reputation is therefore transfered to they key - no matter where I got the key from. So if I send encrypted mail to the person with the private part of Hal's key I can be sure that it can only be read by the person who actually sent the messages pertaining to be from Hal. So the MITM problem is 'defined away' in the case where a reputation grows with a key but is still a major problem where you want to transfer a ready made reputation to a key (as in the first example). In effect the key becomes a pseudonym and you can be sure of communicating with the pseudonym safely but can not be sure of anything about the pseudonum that you have not experienced yourself without trusting someone else (VeriSign in the first example). Thus the problem is more reputation transfer than anything else. Jon C. Baber jbaber@mi.leeds.ac.uk http://www.chem.surrey.ac.uk:80/~ch02jb/