On 9/18/22 06:09, Philip Prindeville wrote:
On Sep 15, 2022, at 4:27 PM, Michael Wojcik via openssl-users <openssl-users@xxxxxxxxxxx> wrote:
You still haven't explained your threat model, or what mitigation
the application can take if this requirement is violated, or why
you think this is a "best practice". >
The threat model is impersonation, where the legitimate key has been
replaced by someone else's key, and the ensuing communication is
neither authentic nor private.
Maybe I'm ignorant but shouldn't this be prevented by ensuring the
authenticity and correct identity mapping of the public key?
More information is needed about how you're system is working to comment
on this.
Ciao, Michael.
