sameer <sameer@c2.org> writes:
In the situation you cite, Bob doesn't know Alice apart from their email correspondence?
Right. My goal is to have a system in which two individuals who have never met can communicate securely. This is not too radical a notion, I trust. In fact, I would go so far as to say that to a considerable extent it is the whole point of public key cryptography.
In this case the ISP is acting as extension-of-alice. Bob thinks he is talking to Alice but he is talking to ISP+Alice. What difference does it make, if Bob has no knowledge of Alice outside their email discussion, that Bob is talking to ISP+ Alice rather than just alice. From Bob's perspective, Alice is really an alias for ISP+Alice. (The same goes for Alice in the other direction.)
What difference does it make? I'll tell you. It means that their conversation is not private! It means that their cryptography is useless, that it has failed. It means they have an unsecure channel. I don't know how I can put it more plainly than this. I wrote a long article a few days ago arguing that they almost might as well not use cryptography if they're going to adopt this stance. Let anyone eavesdrop, and from Bob's point of view when he thinks he is talking to Alice he is actually talking to eavesdroppers+Alice. From his point of view, Alice is just an alias for eavesdroppers+Alice. Etc., etc.
In tim's words, from alice's point of view "Bob the key" == "BOB the person and Bob's ISP". From Bob's point of view "Alice the key" == "Alice the person & Bob's ISP".
This is not a useful or appropriate way to think of the world, IMO. If you do this, then from your perspective people become bafflingly unreliable. I wrote all about this before.
The MITM attack only matters if there is a context outside the email correpondence. (Say, perhaps, a drug deal which involves real physical goods.)
Try to think of it not in relativistic or epistemological terms, but rather look at it in terms of reality. The real world exists, and in it exist real people. We can agree on this much, right? Two of these people want to communicate securely. That is not such a stretch of the imagination, is it? By "communicate securely" I mean they exchange information in such a way that other people don't receive it. Now surely it is clear that with this definition of the problem, approaches which redefine people to mean people+eavesdroppers are not responsive. Perhaps the motivation to do so is simply the belief that the problem is not solvable as stated. If so, I'd like to hear someone say this. Hal