@sj @dangoodin how would you know whether or not the public key belongs to Alice? Usually in protocols you would have a handshake at the beginning where you'd verify that the sender can sign a message properly. The public key of the sender would have to be known prior and out of band (think certificates like in TLS). Here they just place the public key in the message and use it for the signature verification. As far as I can see, there is nothing in the snippet ensuring that the public key belongs to the sender we are expecting to communicate with.
=> More informations about this toot | View the thread | More toots from robertguetzkow@infosec.exchange
=> View sj@social.scriptjunkie.us profile | View dangoodin@infosec.exchange profile
text/geminiThis content has been proxied by September (3851b).