[Standards] Some thoughts on possible OMEMO trust models
vanitasvitae at riseup.net
Tue Feb 21 21:02:28 UTC 2017
Am 20.02.2017 um 07:50 schrieb Jonas Wielicki:
> > Possible problem: What happens when an attacker distrusts all your
> > devices or creates paradox trust decisions?
> Hold on, what kind of attacker? Please state an attacker model here:
> what can
> the attacker do, where does it sit in the grand scheme of things?
> A server-level attacker should not be able to add trust between
> devices (only
> remove it by breaking the signatures or removing items or nodes from the
> Likewise, a device-level attacker should not be able to add trust between
> devices other than the device it is controlling. Again, removal is
> via PubSub.
Sorry, for being unclear. What my concern is, what happens, when an
attacker with access to one device messes with the signatures.
Let's assume, You have device A and B. A trusted a lot of contacts
devices including Bobs device b. Now you have a newer device B, with
that you trusted A and by doing so, have transitive trust in devices
trusted by A (like Bobs b).
What happens, when an attacker that compromised Bobs account, gets
access to A and trusts a foreign malicious device c, which is logged in
with Bobs details, so that A now trusts b and c.
Since B trusted A, B now also trusts c. The attacker hadn't to get
direct access to B, but by compromising A (which is higher in the trust
hierarchy), he compromised B's "trust situation".
I hope my writing isn't too confusing (so much repeating words...).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Standards