Secure voice software issues
Phil Karn
karn at qualcomm.com
Wed Aug 11 14:22:05 PDT 1993
>To me at least this seems unimportant for the application. If all you're
>doing is exchanging session keys over the phone, it doesn't really matter if
>you are sure that the public key actually belongs to who it claims it does,
Well...yes. *If* you know the person you are talking to, then you can
read off your session key (or preferably its hash) to guard against the
man in the middle. But let's say you are being referred to someone who
you don't already know (or you know them only by email, and have no idea
what they sound like). You trust this person, but you can't depend on
an oral challenge-response. The existing PGP web should be handy here.
Phil
More information about the cypherpunks-legacy
mailing list