Re: [saag] The Mathematical Mesh

Ben Laurie <ben@links.org> Wed, 24 April 2019 16:52 UTC

Return-Path: <benlaurie@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFA76120321; Wed, 24 Apr 2019 09:52:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.647
X-Spam-Level:
X-Spam-Status: No, score=-1.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZAoVZtWynhBu; Wed, 24 Apr 2019 09:52:37 -0700 (PDT)
Received: from mail-qt1-f172.google.com (mail-qt1-f172.google.com [209.85.160.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 065BF12034D; Wed, 24 Apr 2019 09:52:34 -0700 (PDT)
Received: by mail-qt1-f172.google.com with SMTP id b3so6198315qtc.12; Wed, 24 Apr 2019 09:52:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tFpPR5uf0JdoufkYR8azFQdCri8mvMkH4yWRLJXALZA=; b=XdyO5oAq1WbX19BEnM9ksAXViR+BYbHaMOzkXBWpqd4kj70PyD17QxEra57sDRX7VS Xr/Ax12mS2dXI/C0d+2L5i9huReq4MLICEkWxLlCSd6iTWwbHMTXwZVsSDBrvlCdGCwb 2q5EtcgBI29u0LUpV6tMcSc612IpSX/Vb4T0OoaJV41TZAL2UW17oMV8Rl98qJR4MUV/ sVIPzZr2v4krpZ6guj0lnG9nCkLls+GAT82Yudk5CCPJc0gV+i8LgIeoYTcue+lD0fNn XuIvMwF08bfvNOyJ5OJwFWrDf6cjVg81YT2RM+6vAXpMHx+ZxTE30Cm/ZnwARvaGrMo2 OmRQ==
X-Gm-Message-State: APjAAAXUeOwYEVWUGlNjCRtSJUiIuGMbs6NPkX7J/GfW1u7KPI6vk1pI Rel8RYUmx29pJPX70Tc6UuSozxdEHhnkLu25Fi0=
X-Google-Smtp-Source: APXvYqzEUYSymcFVD1QmG5kjPPjR1qQqhZcfi1QfGXLfgbXmWYgXufUUJRIQrfIOMhkQpf/bp2LF9Yx1r7oug8ImNoA=
X-Received: by 2002:a0c:fe4a:: with SMTP id u10mr5442559qvs.182.1556124752978; Wed, 24 Apr 2019 09:52:32 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+LwiF3iGiRO5reW4KCgf8vp=Kv=+4pD+_rGOcxEsD1Hxk4g@mail.gmail.com> <20190422190302.GA3137@localhost> <CAMm+Lwj1BV1=UQwE8-5tPO_mxOVixfkiUjXvu+U_AgnSzzkjvg@mail.gmail.com> <CABrd9STVA=fT+oH7f4S_x8JQVaQRUJASWCY5g4pnhQL6ezWaHA@mail.gmail.com> <CAMm+LwhEGTCG7Ucu7xiv0fYZHjxAhe5D6MdU6EYN4UTi0zLnrg@mail.gmail.com> <CAG5KPzwr9oAP5270jE2N-Sw=d_g_YuhQ5_qB3W0OfggGrcU_qA@mail.gmail.com> <CAMm+LwgCBAXqWspkgjGdUX-zUwEf7EtBCe8oiHYF2eoJMpR=Ng@mail.gmail.com>
In-Reply-To: <CAMm+LwgCBAXqWspkgjGdUX-zUwEf7EtBCe8oiHYF2eoJMpR=Ng@mail.gmail.com>
From: Ben Laurie <ben@links.org>
Date: Wed, 24 Apr 2019 17:52:22 +0100
Message-ID: <CAG5KPzxC09HFmR4YaGPPxZRene_ix=XWs02JVoWmiDRTSybvWA@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: Ben Laurie <benl@google.com>, secdispatch@ietf.org, IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000020a8db058749870f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/6Fe2Q_ijrfsgDI9L3jRr24QCJLI>
Subject: Re: [saag] The Mathematical Mesh
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2019 16:52:39 -0000

On Wed, 24 Apr 2019 at 17:47, Phillip Hallam-Baker <phill@hallambaker.com>
wrote:

> On Wed, Apr 24, 2019 at 4:53 AM Ben Laurie <ben@links.org> wrote:
>
>> If we are using QR codes to connect devices, we can transmit the
>>> necessary information without the user needing to notice that is what we
>>> are doing. Otherwise, there are many existing protocols that make
>>> comparison of 15-30 character base 32 encoded strings as the basis for
>>> mutual authentication and these have proved effective and acceptable.
>>>
>>
>> Oh really? Evidence?
>>
>
> We Chat has a billion accounts and is conservatively estimated to serve
> about 50% of the population of China. They use QR codes for contact
> exchange.
>
> https://en.wikipedia.org/wiki/WeChat
>

"In China, digital marketing around QR code is an environmental feature of
some international cities, such as Guangzhou, Shanghai and Beijing."

Not so much around these parts.


> One of the biggest problems that we have made for ourselves is making the
> perfect be the enemy of the good. We insisted on end-to-end secure email
> and got 0.1% of the mail user population enrolled for credentials of which
> less than 1% use end-to-end email regularly.
>

This I do very much agree with.


>
> If you want to offer security usability testing resources to improve on
> the schemes I am proposing, I would be more than happy to make any changes
> they suggest.
>
> But right now the situation is that it took me over 15 minutes to
> configure Thunderbird to use S/MIME. And I know what I am doing. It is a 17
> step process that requires use of a Web browser and email client and
> multiple switches between the two. It took me another ten minutes to find
> the instructions.
>
> When the current situation is that users are required to poke themselves
> in the eye with a sharp stick to get end-to-end security, it doesn't take
> very much to improve on that.
>

I don't disagree with this, either. I do object, however, to assertions
that things are obviously usable.