[dcc2] Multi headers + metadata
Jesse McGrew
jmcgrew at hansprestige.com
Thu Apr 29 19:44:51 EDT 2004
codemastr wrote:
>>Or, more practically, call the other guy up on the phone (or even AIM,
>>ICQ, etc.) and ask him to read off his key fingerprint.
>>
>>
>Well, if someone is packet sniffing your connection, then they will see your
>AIM/ICQ messages as well. As for phone... I don't want everyone I meet on
>IRC having my phone number. For friends, fine. But, I don't want to have to
>make a phonecall everytime I want to do a DCC send.
>
>
It doesn't matter if someone *sees* your key fingerprint; it's just a
hash of your public key. The fingerprint lets you verify that you have
the right key. Reading the public key itself over the phone, AIM, etc.
would serve the same purpose, but of course the fingerprint is much
shorter. What you need to worry about is whether a man in the middle is
*changing* the key fingerprint before it gets to you.
Any key exchange without a central authority will need some kind of
untampered channel--not a "secure" channel that no one else can monitor,
but a channel where you can be sure that the person you're talking to is
who you think it is. That channel might be IRC, AIM, email, telephone,
or certified mail, depending on just how paranoid you are. But I would
say it's harder for someone to simultaneously intercept and change
messages on IRC, AIM, and email than to only intercept and change
messages on the DCC2 socket.
Jesse
More information about the dcc2
mailing list