RE: Im talking about the man in the middle

[Tony Gurnick <TonyG@clemenger.co.nz>]

> If you don't know who the man on the other end is, except
> by who he says he is, you don't have any way to tell who he is.
> 
> 
	What if it's a merchant you want to send your visa number to?


> And of course, if you suspect there's a MITM, you should never
> actually send you shared secret across the channel -
> do something like send a challenge string, and respond with
> a hash of the shared secret and the challenge string,
> after making sure the challenge string has enough entropy.
> 
> 
	On the internet there is no need to suspect a man in the middle.
	It is gauranteed 100% of the time.  So is the man just slightly 
	left of center ala echelon.

> You don't always need to authenticate both directions of
> a communication - if you're initiating a connection to a web server,
> you need to know that you're reaching the real web server,
> but the web server doesn't necessarily care that it's the real you,
> since you could be anybody - it just cares that it's talking to
> one single person during the whole session (unless you're doing a
> kind of transaction that only authorized users are allowed to do.)
> 
> 
	The point here I think is, as you say, you want to make sure you are
talking to the
	correct web server.  You dont have a public key or a public key
finger print for the web server
	or any other secret shared.  How do you do it?  There must be a
clever way, other than out of band
	secret sharing.  As it has it's own problems, like who the hell can
remember a 16 byte pgp fingerprint
	 let alone a public key.