[messaging] Let's run a usability study (was Useability of public-key fingerprints)
michael at briarproject.org
Sat Mar 29 05:11:39 PDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 24/03/14 09:57, Daniel Thomas wrote:
>> Identicons are a catastrophe for cryptographic use - there's no
>> way an average person can distinguish more than 2^20 different
>> polygonal pictures. Given one picture, it's not hard to make a
>> key whose fingerprint has the roughly the same polygons and
>> colours. Do not use!
Depending on the use case, it may be possible to work around this
limitation by including a private salt (known only to the verifier) in
An attacker trying to match a given identicon would then have to guess
at random, without knowing how close their match was for any given
verifier, and without being able to find a good match for all
verifiers at once.
The downside, of course, is that each verifier would see a different
identicon for a given identity - it wouldn't be possible to print
identicons on business cards etc.
I guess this is analogous to the difference between fingerprints and
short authentication strings.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Messaging