Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Are key IDs good security UX? #8

Closed
pfrazee opened this issue Aug 19, 2014 · 8 comments
Closed

Are key IDs good security UX? #8

pfrazee opened this issue Aug 19, 2014 · 8 comments

Comments

@pfrazee
Copy link
Contributor

pfrazee commented Aug 19, 2014

Thoughtful post on this: https://www.debian-administration.org/users/dkg/weblog/105. I love the proquint, but I wonder if we're better of relying on the WoT?

@dominictarr
Copy link
Contributor

I have mixed feelings about this. All technologies have aspects of that technology that the user must understand, from riding a bicycle to flying in a airplane. I the web you need to know about urls and "refresh".

I think the idea that people can't understand crypto is wrong. It's that people try to explain it by talking about advanced math. You don't need to understand the math, you just need to understand it's properties.

take for example this fary tail: http://en.wikipedia.org/wiki/Rumplestiltskin

It is basically about asymetric cryptography. The imp spins straw into gold (mining bitcoin?).
The queen tries to bruteforce his private key ("True Name") but it doesn't work,
however, the Imp is careless and the queen discovers it! Attacking the crypto didn't work
but the imp made a mistake and the queen learned his key.

As is mentioned in the Variant section many (most?) cultures have a variant of the same story.

@dominictarr
Copy link
Contributor

Also, people can handle phone numbers, credit card numbers, and bitcoin addresses.

People understand the concept of DNA or a fingerprint being unique identifiers.

We should certainly avoid the need to have people copy or manually enter in hashes,
but I don't think this means we should avoid putting them in the ui.

@dominictarr
Copy link
Contributor

Also, to use facebook people still need to understand things about how facebook works,
the control that FB has or doesn't have. Certainly people understand a simpler model - but we shouldn't try to fit our thing into that model. We need to differentiate ourselves.

@pfrazee
Copy link
Contributor Author

pfrazee commented Aug 19, 2014

I agree on all counts (and we should check if rumplestiltskin wasn't a written by a time-traveling satoshi). My problem isn't that people can't handle an id- it's that an attacker can generate a collision id, and people will have learned to rely on its uniqueness. If you can't really trust an id fully, then you'll have to also check the public key and the mutual followers, so the id wasn't a benefit.

If we can do a 32 byte ECC, that'll be in the ballpark of a credit card...

F43G 59D3 WR1A 11SZ
C783 34ZZ A1MJ 8721

That's not bad at all

@dominictarr
Copy link
Contributor

absolutely.

@dominictarr
Copy link
Contributor

we are addressing this using https://github.com/pfraze/base-emoji

@jbenet
Copy link

jbenet commented Nov 22, 2014

I love this. ❤️ 👍 it's a great idea for interfacing with humans.

@dominictarr
Copy link
Contributor

@jbenet you should install phoenix and see what your emoji name is!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants