[messaging] Are we pursuing real solutions for security?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Mar 11 06:15:12 PDT 2014


On 03/11/2014 06:33 AM, Tony Arcieri wrote:
> I feel like solutions that rely on manual verification of key fingerprints
> fall into this category:
> 
> http://i.imgur.com/2bEWKNS.png

There were discussions in the last day on this list about avoiding the
"click-ok-to-get-on-with-it" pattern that people are accustomed to,
including some novel approaches (coming close to "gamification", where
the user is actively involved in the process and not just presented with
the simple "either/or" response).  These are mechanisms to consider
manual verification of key fingerprints I've never seen any of these
proposals implemented or considered before.

I think everyone on this list is acutely aware of the peril of "security
fatigue" and wants to avoid it.

> Short Authentication Strings are addressing this problem. 

Short Authentication Strings have potentially severe problems in
anything other than a human→human synchronous communications
environment.  Not every environment where we want cryptographic
verification fits this model (some are asynchronous, some are
human→machine).

	--dkg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140311/f537a668/attachment.sig>


More information about the Messaging mailing list