[Freedombox-discuss] Tap-to-share PGP key exchange

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Sep 30 14:43:00 UTC 2011

Hi Timur--

On 09/30/2011 10:09 AM, Timur Mehrvarz wrote:
> I provided this with my original post: http://timur.mobi/anymime-ksp/
> Can you please phrase your concern relative to the fingerprint
> verification example?

I really like what you've done, Timur!  i agree that if the users follow
your directions and explicitly verify each others fingerprints by
looking at their phones side-by-side, they can avoid intrusion from a
networked/RF attacker.

My main concern is that visually comparing two strings of 40 hexadecimal
digits is beyond the attention span of most humans i know.  Even for the
folks who can actually compare all the digits, once a handful of key
exchanges have been done and have always "checked out" by visual
comparison, the user will probably start to get sloppy.

I don't mean this in a pejorative way; comparing long strings of
arbitrary symbols is just not what the human mind is cut out for.

So having a way for the exchange to be securely done *without* users
needing to inspect fingerprints would be an excellent step forward in
the experience of key exchange.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110930/5a7bb875/attachment.pgp>

More information about the Freedombox-discuss mailing list