Robot CA at toehold.com
Volker Gaibler
volker.gaibler@urz.uni-heidelberg.de
Thu Dec 5 22:12:03 2002
On Thu, Dec 05, 2002 at 11:43:12AM -0600, Kyle Hasselbacher wrote:
> bogus-but-signed key. Challenge/response systems have the same problem,
> however. In a sense, if the attacker can intercept the victim's email, the
> verification is working--the attacker DOES have access to that email
> address, and that's all the robot is trying to find out. From the robot's
> point of view, there's no difference between this and two (or more) people
> who legitimately and knowingly share an email address.
But why use encryption at all in that case? Slightly simplified:
If someone can read your unencrypted mail (sysadmin or somebody sniffing
network traffic) - and that's what you want to prevent - also can create
bogus-but-signed keys.
Volker
--
Volker Gaibler contact:
http://www.volker-gaibler.de mail@volker-gaibler.de
OpenPGP key: 0x86ECAC0B
get my public key from website above
+---------------------------------------------------------------------+