[messaging] Useability of public-key fingerprints
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Jan 30 16:34:53 PST 2014
Trevor Perrin <trevp at trevp.net> writes:
>(A) Most people will never check or understand public-key fingerprints, so we
>need something more automatic (eg TOFU and/or trusted infrastructure)
See for example "Do Users Verify SSH Keys?" (Abstract: "No"),
https://www.usenix.org/system/files/login/articles/105484-Gutmann.pdf.
>(B) Those users who *are* motivated to deal with fingerprints will be
>motivated enough to make them work whether 25 or 40 chars, base32 or base16,
>etc.
They'll be motivated enough to do some checking, but given result from work on
fuzzy fingerprints (referenced in the above article) no-one but the most
singularly OCD will actually do the check properly, i.e. rigorously check all
40 characters for every key they deal with.
Peter.
More information about the Messaging
mailing list