Re: [saag] I-D Action: draft-birk-pep-trustwords-00.txt (fwd)

Hi.

At a former employer we used the function described in RFC 1751 to show a user the CA or server fingerprint so as to make sure that their VPN client was connecting to the correct server. It would be used as part of the instructions for the user:  Type in “192.0.2.5” or “vpnserver.example.com <http://vpnserver.example.com/>” at the server box, click “Connect” and you will see a fingerprint field. Make sure it says “TIDE ITCH SLOW REIN RULE MOT”.

This has proved OK for ordinary non-technical users, but I can’t be sure any of them ever compared the strings. It’s easier to just click OK. Similarly for point #3, I don’t think either of them calls for the user to write anything down, except in the instructions from the administrator.

BTW: even if you make sure your dictionary contains only innocuous words (no swear words), the combinations sometimes can be open to interpretations: HERO JAKE LAID JAIL BAIT GLAD can come out of the algorithm in RFC 1751.

Anyway, I think your draft should reference RFC 1751 and state these differences.

Yoav

> On 23 Feb 2018, at 17:06, Bernie Hoeneisen <bernie@ietf.hoeneisen.ch> wrote:
> 
> Hi Yoav
> 
> Thanks for you email.
> 
> This work is different from RFC1751 in many ways, e.g.:
> 
> 1) The target audience for this new work to use are ordinary human users, i.e. not technical stuff (or IT geeks) only. (Even grandma shall be able to use it.)
> 
> 2) The hexadecimal (sub-)strings mapped into a single trustword are longer. This results in fewer trustwords to compare, but more trustwords in the dictionary.
> 
> 3) The keywords are only read (and compared), but not written down by humans
> 
> 4) The keywords will be available in many languages as opposed to English only
> 
> Does this answer you question?
> 
> All the best
> Bernie
> 
> --
> 
> http://ucom.ch/
> Modern Telephony Solutions and Tech Consulting for Internet Technology
> 
> 
> On Fri, 23 Feb 2018, Yoav Nir wrote:
> 
>> Hi, Bernie.
>> 
>> How is this better/different from RFC 1751?
>> 
>> Thanks
>> 
>> Yoav
>> 
>>> On 23 Feb 2018, at 12:42, Bernie Hoeneisen <bernie@ietf.hoeneisen.ch> wrote:
>>> 
>>> Please be informed that another I-D of the pEp (Pretty Easy Privacy) series has just been published. You can find it on:
>>> 
>>> https://datatracker.ietf.org/doc/draft-birk-pep-trustwords/
>>> 
>>> Abstract:
>>> 
>>>   In public-key cryptography comparing the public keys' fingerprints of
>>>   the communication partners involved is vital to ensure that there is
>>>   no man-in-the-middle (MITM) attack on the communication channel.
>>>   Fingerprints normally consist of a chain of hexadecimal chars.
>>>   However, comparing hexadecimal strings is often impractical for
>>>   regular users and prone to misunderstandings.
>>> 
>>>   To mitigate these challenges, this memo proposes the comparision of
>>>   trustwords as opposed to hexadecimal strings.  Trustwords are common
>>>   words in a natural language (e.g., English) to which the hexidecimal
>>>   strings are mapped to.  This makes the verification process more
>>>   natural.
>>> 
>>> Anyways, we are looking forward to your feedback!
>>> 
>>> All the best
>>> Bernie
>>> 
>>> 
>>> ---------- Forwarded message ----------
>>> From: <internet-drafts@ietf.org>
>>> Date: Thu, Feb 22, 2018 at 9:17 AM
>>> Subject: I-D Action: draft-birk-pep-trustwords-00.txt
>>> To: i-d-announce@ietf.org
>>> 
>>> 
>>> 
>>> A New Internet-Draft is available from the on-line Internet-Drafts
>>> directories.
>>> 
>>> 
>>>        Title           : pretty Easy privacy (pEp): Trustwords concept
>>>        Authors         : Volker Birk
>>>                          Hernani Marques
>>>                          Bernie Hoeneisen
>>>        Filename        : draft-birk-pep-trustwords-00.txt
>>>        Pages           : 6
>>>        Date            : 2018-02-22
>>> 
>>> Abstract:
>>>   In public-key cryptography comparing the public keys' fingerprints of
>>>   the communication partners involved is vital to ensure that there is
>>>   no man-in-the-middle (MITM) attack on the communication channel.
>>>   Fingerprints normally consist of a chain of hexadecimal chars.
>>>   However, comparing hexadecimal strings is often impractical for
>>>   regular users and prone to misunderstandings.
>>> 
>>>   To mitigate these challenges, this memo proposes the comparision of
>>>   trustwords as opposed to hexadecimal strings.  Trustwords are common
>>>   words in a natural language (e.g., English) to which the hexidecimal
>>>   strings are mapped to.  This makes the verification process more
>>>   natural.
>>> 
>>> 
>>> The IETF datatracker status page for this draft is:
>>> https://datatracker.ietf.org/doc/draft-birk-pep-trustwords/
>>> 
>>> There are also htmlized versions available at:
>>> https://tools.ietf.org/html/draft-birk-pep-trustwords-00
>>> https://datatracker.ietf.org/doc/html/draft-birk-pep-trustwords-00
>>> 
>>> 
>>> Please note that it may take a couple of minutes from the time of submission
>>> until the htmlized version and diff are available at tools.ietf.org.
>>> 
>>> Internet-Drafts are also available by anonymous FTP at:
>>> ftp://ftp.ietf.org/internet-drafts/
>>> 
>>> _______________________________________________
>>> I-D-Announce mailing list
>>> I-D-Announce@ietf.org
>>> https://www.ietf.org/mailman/listinfo/i-d-announce
>>> Internet-Draft directories: http://www.ietf.org/shadow.html
>>> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>>> _______________________________________________
>>> saag mailing list
>>> saag@ietf.org
>>> https://www.ietf.org/mailman/listinfo/saag
>> 
>> 

Re: [saag] I-D Action: draft-birk-pep-trustwords-00.txt (fwd)

Attachment: signature.asc