[freenet-dev] Short refs was Re: alternative to #freenet-refs
Matthew Toseland
toad at amphibian.dyndns.org
Thu Nov 22 00:34:05 UTC 2007
On Wednesday 21 November 2007 01:46, you wrote:
> Matthew Toseland wrote:
> > You're talking about geeks. And even they don't usually go to the effort.
But
> > this whole conversation kicked off when you said files were
inconvenient. :)
>
> They are inconvenient - if I could convince the rest of the world to use
> short refs, I would. But not passwords, that would be a step backwards. ;-)
>
> > I still don't see how you are going to use them. Bob makes up a password
and
> > gives it to Alice out of band over the phone. Alice proves she has the
> > password through a challenge/response. Alice gets 3 tries. What's the
attack
> > vector?
>
> Sorry, I misunderstood. I thought you were proposing that there should
> be no up-front exchange of pubkeys/passwords, but after establishing the
> connection it should be checked for MITM attacks by generating a
> password from the JFK pubkeys and verifying it OOB (like Zfone does).
Well, suppose we did this. 128 bits is 25 characters. We add one character for
redundancy (checksum). One advantage is it only needs to be exchanged in one
direction. This would seem at the moment to be the simplest option. And we
then only need to exchange IP:port in advance.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://emu.freenetproject.org/pipermail/devl/attachments/20071122/e1ced116/attachment.pgp
More information about the Devl
mailing list