On Sat, Mar 13, 2010 at 1:00 PM, Robert J. Hansen <r...@sixdemonbag.org>wrote:
> > I'm a little confused as to how does that make it any different from > using the Pidgin OTR method. > > It's a question of degree, not kind. > > > I simply open up an OTR session, ask my friend a question the answer to > which is secret (only known to him) > > How do you know the secret is known only to him? Most "secrets" really > aren't; a good investigator can discover an awful lot of "secret" > information about someone. Shared-secret authentication is one of the > weakest forms out there. It's better than nothing, but it's not something > that ought be relied upon. People tend to vastly overestimate how secret > their secrets are. > > As an example, a few years ago I saw in a spy novel (set in the modern day) > two protagonists negotiating a phone number over an insecure line. "Hey, > that guy we know who did X? Take his phone number, subtract this number > from it. The resulting phone number is what you need to call." > > It sounds great and reliable: it's a shared secret. The problem is it's > totally bogus. Phone numbers aren't random. In the United States, for > instance, phone numbers follow the NPA-NXX format. That reduces this > question down to a glorified Sudoku: a skilled investigator could figure it > out in just a few minutes. > Thanks for the explanation. Makes sense :-) . I think I understand the pitfalls much better now.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
