17 Dec
2003
17 Dec
'03
11:17 p.m.
Eric Young writes:
On the PGPphone issue, I Personally I feel SSLphone would be a much better way of doing things.
Oh, yeah? No user certificates, no way to verify whats on the other end. No assurances that you aren't being tricked into using a weak algorithm because negotiation doesn't take place under cover of signature. Lots of little potential cracks. Thanks, but no thanks. This is not to slight your code. I'm slighting the protocol. If folks want to secure links, stick to clean protocols to do the key negotiation. I'm a fan of variants of STS myself, Photuris being a biggie.
For phone over modem, authentication is not really required
And why is that? Perry