Network transparancy api review.
Aaron J. Seigo
aseigo at kde.org
Wed Jun 24 04:16:34 CEST 2009
On Tuesday 23 June 2009, Rob Scheepmaker wrote:
> On Tuesday 23 June 2009 19:42:55 Fabrizio Montesi wrote:
> > On Tue, Jun 23, 2009 at 7:05 PM, Rob Scheepmaker <
> >
> > r.scheepmaker at student.utwente.nl> wrote:
> > > Hello everybody,
> > >
> > > [cut]
> >
> > Hi Rob,
> > just a quick comment about identifying remote machines. What about
> > combining public key authentication with the bluetooth pairing method
> > (the host writes a PIN, the client is asked for the PIN, the two PINs
> > must match)?
> > This way if the user is too lazy to check the public key we reduce
> > greatly the attacker's possibilities. Using this approach we'd have to
> > face the fact that a lazy user could write "1234" as a PIN, too: the host
> > side UI for writing the PIN should warn the user that things like "1234"
> > are not such a good idea.
>
> A quite good idea. So the first time we receive a new key we ask for a
> password at both sides which have to match. And if the key is already there
> then this step isn't necesarry. I'll think about how to integrate this
> nicely with the api.
this only works, of course, when there's a human pairing the two devices that
are within reach/sight. it must also be possible for one side of the
transaction to be a machine hidden in a wall. :)
--
Aaron J. Seigo
humru othro a kohnu se
GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43
KDE core developer sponsored by Qt Software
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://mail.kde.org/pipermail/plasma-devel/attachments/20090623/226c377b/attachment.sig
More information about the Plasma-devel
mailing list