[messaging] Comparing introduction secret schemes (was Re: Unlinkable rendezvous via human-sized keys)

Trevor Perrin trevp at trevp.net
Sun Mar 23 20:54:57 PDT 2014

On Sun, Mar 23, 2014 at 7:36 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> On 03/23/2014 09:56 PM, Trevor Perrin wrote:
>> Though I'm calling this "not great useability" because you still have
>> to print and carry a deck of cards, handle card halves, and type in
>> ~256 bits of ECDH key (51 base32 chars?).
> you don't have to handle card halves at all, or type in anything if you
> allow webcam/qrcode linkages.  each card can have on it a qrcode and a
> (very short, like two letters) tag.  when you exchange cards with
> someone else, you just give them a card, looking at it first.  You write
> the tag you gave them on the back of the card they gave you.  You get
> back to your terminal, scan the QR code, type in the two-letter tag
> (which allows your terminal to select the right private key), and you're
> on your way.

That's better than I was thinking, sorry I didn't catch that before.

Though still not in love with printing and carrying a stack of unique
cards, and the protocol steps around exchanging them.

>>  - Fingerprint or multi-use ECDH keys have the benefit that you get
>> the user's long-term fingerprint which can be corroborated with
>> 3rd-parties to make sure it's correct.
> I agree that this is useful in some contexts, but it is in direct
> opposition to the stated unlinkability goal.

It's in opposition to "unlinkable pseudonyms" (whether users can tell
if they're talking to the same person).

But the main goal here (IMO) is "unlinkable communications", which
it's not in opposition too (whether an observer can tell which users
are talking).

> If folks want to move from unlinkable to linkable identities, that's not
> a particularly complicated problem (both parties use their established
> channel to send each other proofs of their long-term keys), so i don't
> see this as a huge downside.  Going in the opposite direction (from
> linkable to unlinkable identities) is basically impossible.

Disagree with that, it's easy to create multiple identities (aka
public keys) to have "unlinkable pseudonyms".  So my preference is for
having linkable pseudonyms as a default, to aid in authentication
(users corroborating fingerprints with each other and 3rd parties).
Users who want unlinkable / compartmented identities can spend the
effort to create those.

We had a little bit on this earlier -



More information about the Messaging mailing list