[messaging] between fingerprint transcription and comparison

[Daniel Kahn Gillmor]

Hi folks--

Thinking about Tom's proposed usability testing gave me another idea for
a fingerprint comparison UI, which i wanted to float here.  It might be
a terrible idea.

I think we all agree that fingerprint transcription is more effective at
avoiding a false match than comparison with "click OK" -- but
transcription is also more tedious, prone to human error, and more time
consuming.

I wonder if it's possible to split the difference from a UI/UX
perspective somehow.

For example, if the application knows that the user is in a use case
where the user is trying to compare the current connection's fingerprint
with something they have received out of band, rather than displaying
the actual fingerprint received on the wire, the UI could display
several candidate fingerprints and have them choose the correct one from
the set, like a police lineup.  This could even be done more than once,
with the "correct" print listed in each of them (or with "the
fingerprint is not listed here" as an option).

Care would have to be taken to present only subtle variations, or to
include the "not listed here" option with greater regularity, or to
present several pages of different choices so that people have to
consider each of them.  We want to avoid the "oh, it's the one that
starts with 6" response.

Do you think this UX would be an improvement over either "click OK
comparison" or complete transcription?  Could we make it less tedious
than transcription, but more secure than "click the OK button to get
this out of my way and let me get to work" experience?

What kind of security properties would this hybrid UX have?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140310/c7022210/attachment.sig>