[messaging] Useability of public-key fingerprints

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Jan 30 16:34:53 PST 2014

Trevor Perrin <trevp at trevp.net> writes:

>(A) Most people will never check or understand public-key fingerprints, so we
>need something more automatic (eg TOFU and/or trusted infrastructure)

See for example "Do Users Verify SSH Keys?" (Abstract: "No"), 

>(B) Those users who *are* motivated to deal with fingerprints will be
>motivated enough to make them work whether 25 or 40 chars, base32 or base16,

They'll be motivated enough to do some checking, but given result from work on 
fuzzy fingerprints (referenced in the above article) no-one but the most 
singularly OCD will actually do the check properly, i.e. rigorously check all 
40 characters for every key they deal with.


More information about the Messaging mailing list