Re: ciphire encrypted mail tool
From: Alan (a__l__a__n_at_hotmail.com)
Date: 01/20/05
- Next message: Alan: "Re: ciphire encrypted mail tool"
- Previous message: Alan: "ciphire encrypted mail tool"
- In reply to:(deleted message) Sebastian Gottschalk: "Re: ciphire encrypted mail tool"
- Next in thread: Sebastian Gottschalk: "Re: ciphire encrypted mail tool"
- Reply:(deleted message) Sebastian Gottschalk: "Re: ciphire encrypted mail tool"
- Reply:(deleted message) Juergen Nieveler: "Re: ciphire encrypted mail tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 Jan 2005 15:20:47 -0500
"Sebastian Gottschalk" <seppi@seppig.de> wrote in message
news:167z5yyuavnny$.dlg@news.individual.de...
> The key is stored at the server, you must fully trust the server in any
> phase of key handling, it's vulnerable against MITM and it's completely
> incompatible with OpenPGP/MIM and S/MIME.
Compatibility is an obvious issue...but since virtually nobody is using
those products anyway (as a percentage of all email users), that is not an
important issue for most people.
Perhaps you must fully trust the key server during the registration process,
but the Housley/Ferguson review did not point that out. There are some
safeguards. According to the review, the hybrid trust model (hierarchical
plus distributed) prevents malicious replacement of the public keys in a
certificate (e.g., to allow man-in-the-middle attacks); and Malicious
changes to one or more certificate fields, such as the validity dates or
email address in the subject of the certificate. (section 7.2.1).
However, an attacker positioned at the mail server (not key server)
apparently could register impersonating the victim. Then third parties who
use ciphire might believe they are sending encrypted mail to the victim,
while the attacker would be decrypting and reading all the mail from his
MITM position.
I'm not sure what would happen if the victim subsequently tried to register.
With collaboration from the key server, it should be possible to convince
the victim that his registration was successful.
- Next message: Alan: "Re: ciphire encrypted mail tool"
- Previous message: Alan: "ciphire encrypted mail tool"
- In reply to:(deleted message) Sebastian Gottschalk: "Re: ciphire encrypted mail tool"
- Next in thread: Sebastian Gottschalk: "Re: ciphire encrypted mail tool"
- Reply:(deleted message) Sebastian Gottschalk: "Re: ciphire encrypted mail tool"
- Reply:(deleted message) Juergen Nieveler: "Re: ciphire encrypted mail tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
