Robot CA at toehold.com

Volker Gaibler volker.gaibler@urz.uni-heidelberg.de
Thu Dec 5 22:12:03 2002


On Thu, Dec 05, 2002 at 11:43:12AM -0600, Kyle Hasselbacher wrote:
> bogus-but-signed key.  Challenge/response systems have the same problem,
> however.  In a sense, if the attacker can intercept the victim's email, the
> verification is working--the attacker DOES have access to that email
> address, and that's all the robot is trying to find out.  From the robot's
> point of view, there's no difference between this and two (or more) people
> who legitimately and knowingly share an email address.

But why use encryption at all in that case? Slightly simplified:
If someone can read your unencrypted mail (sysadmin or somebody sniffing
network traffic) - and that's what you want to prevent - also can create
bogus-but-signed keys.

Volker


-- 
 Volker Gaibler                                 contact:
 http://www.volker-gaibler.de                   mail@volker-gaibler.de
 OpenPGP key: 0x86ECAC0B
 get my public key from website above 
+---------------------------------------------------------------------+