[messaging] Social Security cards and additional issues

Trevor Perrin trevp at trevp.net
Thu Jan 30 12:57:08 PST 2014

On Thu, Jan 30, 2014 at 12:21 PM, Watson Ladd <watsonbladd at gmail.com> wrote:
> Take your social security card: notice that the number is broken up
> into unequal blocks.
> The same is true for telephone numbers.
> I don't think this is coincidence: has human interaction research been
> conducted on
> making strings easily identifiable?

There's research on character legibility and word recognition that's
not hard to find (eg Miles Tinker, Kevin Larson).  But for
alphanumeric strings of crypto length I couldn't find much.

> The second point concerns the need for fingerprints in the first
> place. We're looking at a future that is increasingly multi-device.
> Transparently managing shared contacts including cryptographic
> identities from prior encounters obviates the need for fingerprints.

Certainly Trust-On-First-Use (TOFU) or a trusted infrastructure could
provide a nicer UX than fingerprint verification.

But I suspect there will always be use cases where manual verification
matters (e.g. first-time contact, or users with high-security
requirements).  So I don't think the need for fingerprints is
completely "obviated", though I agree we shouldn't force all users to
deal with them.

> However, it does raise all sorts of tracking questions/how to access
> this shared contact file from a new device?

Yes, syncing devices is also a hard problem, particularly in the
context of "ratcheting" algorithms which update keys for forward
secrecy.  Perhaps another thread sometime...

> Thirdly, UX remains a huge issue. Cryptocat got this right, and a
> desktop Java application is probably the best current solution
> (although Java is no longer as ubiquitous as it once was). Pond is
> having issues making a cross-system GUI. Unless we can get people to
> use our solutions, they don't matter.

Yes, good UIs are difficult.


More information about the Messaging mailing list