Re: [openpgp] Fingerprints

[ianG <iang@iang.org>]

On 17/04/2015 18:46 pm, Daniel Kahn Gillmor wrote:

>   * human-representable form of the digest: e.g. hex, base32, common
>     hyphenation patterns, etc.  there are legibility/usability factors
>     here that i don't know enough to comment on.




Just on that, I recently went through an exercise where phones get 
introduced to phones.  Once introduced the phones can speak to servers 
directly naming their new friends and get high quality information in 
dense cryptographic form.  Users need not be bothered by the arcania.

But two people meeting for the first time is a bother, especially as 
there are no presentations of cryptographic information in the app at 
all, and we can't rely on the various bluetooth and so forth local 
interactions.

We tried some variants, and in the end, I settled on a 4-letter base26. 
  It is created on one phone (register on server) and typed into the 
other phone (lookup on server).

The base26 alpha was chosen because many phones have tiny keyboards 
which require hitting a meta key to get out to numerics.  This made the 
Base32, hex and other mixed alphanumerics a pain, it about doubled the 
workload and more than doubled the error rate.

A count of 4 characters was settled on because it was enough to provide 
some discrimination but not enough to seriously challenge the users. 
Users found 6 characters to be a bit testy (I include myself in this) 
whereas people felt that if they couldn't handle 4 characters felt they 
could blame themselves for the errors not the system.



iang


ps;  The codes themselves once created are only valid for an hour, 
suitable for a face to face meeting, so there is a lot more space available.

ps2;  4 uppercase letters was also used by the military back in the old 
pencil & paper tactical codes days.  At least my military.