Question Regarding the Absence of a Sending Method in the Challenge Class

[t-kanuma]

It seems that the Challenge class does not have a method for sending a challenge to others.
Would it be a common implementation to generate send it using the Exchange.send(..) method ?

[kentbull]

When you say "to others" what are you referring to? The existing Challenge class can send a challenge to any identifier it has been introduced to (had an OOBI resolution performed).

[lenkan]

I believe the concept of "sending" the challenge is meant to be handled out of band. So you will not actually send a challenge to the agent of the respondent. The steps would be:

1. Member A resolves OOBI for Member B
2. Member B resolves OOBI for Member A
3. Member A generates a challenge phrase
4. Member A communicates the challenge phrase to Member B through some other medium, for example by speaking with them.
5. Member B sends the challenge phrase in a signed exn message to the Member A
6. Member A verifies that Member B has responded to the same phrase that they communicated in step 4

In the challenge.test.ts you can see that the challenger does not ever send the challenge to the respondent.

[t-kanuma]

I appreciate your response.

@kentbull

When you say "to others" what are you referring to?

I am referring to other entities (agents). I understand that the KERIA agent communicates peer-to-peer (P2P) with other entities' KERIA agents. While there are abstracted methods such as Challenge#respond(..) and Challenge#responded(..) for handling this P2P communication for certain purposes, there is no corresponding method provided for sending the challenge word. That is why I asked the question.

@lenkan

In the challenge.test.ts you can see that the challenger does not ever send the challenge to the respondent.

Yes, I read this, which led me to question what the legitimate means of sending the challenge word should be, and that’s why I asked the question.

I believe the concept of "sending" the challenge is meant to be handled out of band. So you will not actually send a challenge to the agent of the respondent.

Does this mean that it aligns with the standard specification of OOBI, or at least does not deviate from it?

[kentbull]

Protecting yourself from man in the middle attacks over the internet is why you share the challenge phrase out of band. The "out of band" phrase in this context means on a different communication channel than the primary one you are using. You share the challenge phrase in a different, secondary communications channel like a live video call so you can be assured that you are not suffering from an eclipse attack or other man in the middle attacks.

[t-kanuma]

The OOBI (AID, Service Endpoint) itself is exchanged out-of-band (OOB), like via video call, so why is it necessary to also send the challenge word in the next step via OOB?
Since the key exchange has already been performed, a MITM attack should not be feasible even when sending and receiving P2P messages.

What you said didn’t quite make sense to me, but I understood that the sending a challenge word on video call was not problematic. Thank you.