Friday, April 03, 2009


I found a person's mail on the bus yesterday. I was able to quickly find their email and arrange for them to pick it up today from my office.

When he came, I was in the middle of something, the exchange was something like this:

(at the appointed time)
Him: Hello, is Bob there? I am Alice.
Me: I figured. (hands letter)

So the question is, should I have attempted to authenticate that he really was Alice, instead of Mallory? Communication was all via email, the time and place could have been known to Mallory, and I have no clue what Alice looks like.

I finally told myself that the odds of Mallory existing were vanishingly small. If he did exist, then Alice never came by. So I assume the person was Alice.

The one thing that will keep me up at night: is Alice bound in duct tape in some alley somewhere?


Anonymous said...

your name usages are confusing me. alice is a boy? are you bob? HUH?

(too lazy to sign in...)

Spatchcock said...

Alice, Bob, and Mallory are placeholder names frequently used in computer security examples. Alice typically wants to send a provably secure message to Bob such that Mallory cannot overhear.

A -> B
A -/-> Mallory

Some_guy wishes to communicate his identity, the plaintext, to Joe. Some_guy is the sender, Alice, and Joe is the recipient, Bob.

Mallory is someone who knows Alice will attempt to contact Bob and wishes to intercede to gain Bob's trust and exploit Bob's belief that Mallory is Alice to steal from Alice.

Since Bob doesn't know Alice beforehand and wishes to authenticate Alice with a minimum of overhead, I'd say this worked out.