On Mon, Mar 27, 2006 at 12:50:29PM -0800, Joe Touch wrote: > Nicolas Williams wrote: > > On Mon, Mar 27, 2006 at 10:35:44AM -0800, Joe Touch wrote: > >>> LoF isn't merely about accepting unauthenticated peers -- in the context > >>> of SSH, for example, it's about interactively asking if a peer's public > >>> key is "valid" and then recording it so that subsequently no such > >>> interaction is necessary. > >> This is the part I don't quite understand. > >> > >> Where's the LOF? > > > > It's what we as human users to do: "validate" (as if they even usually > > could, via some oob way) a peer's public key so that the application can > > create a pseudonymous-ID-(public key)-to-peer-address/ID/name/... binding. > > That seems like a very specific thing - out-of-band validation. There's > no leap there - the user can (and seems like they're expected to) > validate the key out-of-band. No, they usually can't, and even more commonly don't. They take a "leap": "I'm not being attacked"; and usually this leap works out fine (which teaches them to keep this up).
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.