[messaging] Useability of public-key fingerprints

Dominik Schürmann dominik at dominikschuermann.de
Thu Jan 30 04:55:21 PST 2014


On Thu, 2014-01-30 at 12:09 +0000, Michael Rogers wrote:
> My intuition about alphabets is that uncertainty about the alphabet
> slows people down. For example, if people don't know that an OTR
> fingerprint is case-insensitive hex, they may read "B03F" as "capital
> b, capital o... no, sorry, zero... three, capital f". Likewise they
> may read out punctuation that's used to group the symbols.
> 
> Think about speaking to a stranger over a bad phone line. Digits can
> be communicated fairly efficiently in groups of two or three. Letters
> require the phonetic alphabet, and if you don't both know that the
> other person's familiar with it, that means "a for alpha, b for bravo"
> rather than "alpha, bravo". If you have to pronounce lowercase and
> uppercase as well, something like base58 becomes less time-efficient
> than decimal digits.

Hi,

I just joined the mailinglist and this discussion, so sorry if it was
already proposed.

Your phone example reminds me of ZRTP, which uses the "PGP word list"
instead of a fingerprint. see
http://philzimmermann.com/docs/PGP_word_list.pdf
In addition, ZRTP uses a hash commitment based protocol allowing to
reduce the number of words to be compared over phone down to 2.
Obviously, this hash commitment is only possible when establishing a
digital connection between participants. Comparing fingerprints offline
would generate long lists of words.
I wonder if we could build a sentence out of a fingerprint...

Regards
Dominik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140130/820510af/attachment.sig>


More information about the Messaging mailing list