[messaging] Comparing introduction secret schemes (was Re: Unlinkable rendezvous via human-sized keys)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sun Mar 23 19:36:42 PDT 2014

On 03/23/2014 09:56 PM, Trevor Perrin wrote:
> Though I'm calling this "not great useability" because you still have
> to print and carry a deck of cards, handle card halves, and type in
> ~256 bits of ECDH key (51 base32 chars?).

you don't have to handle card halves at all, or type in anything if you
allow webcam/qrcode linkages.  each card can have on it a qrcode and a
(very short, like two letters) tag.  when you exchange cards with
someone else, you just give them a card, looking at it first.  You write
the tag you gave them on the back of the card they gave you.  You get
back to your terminal, scan the QR code, type in the two-letter tag
(which allows your terminal to select the right private key), and you're
on your way.  i'm sure someone cleverer than i am could streamline this
even further.

> Some other changes:
>  - If you're doing lookups through PIR mirrors instead of through the
> user's intro-cert directory, maybe you don't need to exchange the
> directory name?  The PIR thing is still a huge question mark, but I'll
> pretend that works.

yeah, i'm still dubious about the PIR thing.

>  - Fingerprint or multi-use ECDH keys have the benefit that you get
> the user's long-term fingerprint which can be corroborated with
> 3rd-parties to make sure it's correct.

I agree that this is useful in some contexts, but it is in direct
opposition to the stated unlinkability goal.

If folks want to move from unlinkable to linkable identities, that's not
a particularly complicated problem (both parties use their established
channel to send each other proofs of their long-term keys), so i don't
see this as a huge downside.  Going in the opposite direction (from
linkable to unlinkable identities) is basically impossible.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140323/792a51c4/attachment.sig>

More information about the Messaging mailing list