[OTR-users] New gaim-otr and otrproxy ready for beta testing
CLAY SHENTRUP
CLAY at BROKENLADDER.COM
Mon Oct 17 19:08:30 EDT 2005
>
> A secure session id? No, all that guarantees is that your current
>
conversation is private. It does *not* guarantee that the fingerprint
> you received is actually the correct one.
I'm trying to wrap my head around this one. If the session key was
ultimately derived from your private diffie-hellman generator value, and a
signed public diffie-hellman value from the other party, then this would
seem to indicate that only a person who actually has the private key from
which a fingerprint is derived could have produced that session key. If you
call up your friend and recognize his voice, and he verifies that session
key, he has to be the real owner of the private key that produces the
fingerprint that you think he has. If that fingerprint wasn't really his,
how would he know that session key?
Where is this rationale broken?
Thanks,
Clay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20051017/bfb273b7/attachment.html>
More information about the OTR-users
mailing list