On Sat, May 20, 2006 at 10:44:29PM +0100, James Westby wrote: > No metter how well the encryption is implemented on top of a protocol > like that it could be circumvented easily. For real security it has to > be designed in from the start.
Yeah, I wondered why that has not been done. It's one of the first things to think of when creating any protocol that can be used to transfer information over insecure channels. > > better. The hard thing is to find out what can be considered as > > 'sufficiently difficult'. > > That's a subjective thing. yes > > someone would try to attack, he'd probably attack the other end since > > it appears to be the weakest part. > > That's probably the case yes. But if you use end-to-end gpg encryption > then you should be alright. As long as your friends aren't the sort of > people who hand out their private keys to anyone that asks. Well, I will have to instruct them not to do that, and to read gpg documentation. Besides using the encryption plugin, I would like to get to using gpg for mails. > Without seeing it I would say that gpg meets your needs, and the authors > of the plugin have probably done a good job of writing it. I hope so ... > My only concern would be the key distribution, but you can come up > with a solution to that, They seem to already have taken care of that by automizing the key exchange. We couldn't try it out yet because the other end had weird trouble downloading the software, but I guess it will work. Then we will need to compare the fingerprints, and should be 'sufficiently secure' for a first attempt. > especially if you know who you want to talk to before you start. Yes, I know that. I'm curious if there's any control about the automatic key exchange. It should at least ask me if I want to allow it. GH -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
