Re: [saag] The Mathematical Mesh
Phillip Hallam-Baker <phill@hallambaker.com> Wed, 24 April 2019 16:47 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91E55120321; Wed, 24 Apr 2019 09:47:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.645
X-Spam-Level:
X-Spam-Status: No, score=-1.645 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CLlCEQE6cUne; Wed, 24 Apr 2019 09:47:13 -0700 (PDT)
Received: from mail-ot1-f42.google.com (mail-ot1-f42.google.com [209.85.210.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E061B12024A; Wed, 24 Apr 2019 09:47:12 -0700 (PDT)
Received: by mail-ot1-f42.google.com with SMTP id d24so14024408otl.11; Wed, 24 Apr 2019 09:47:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uLDyotKJNNgcq5CTRgRhsvrmNKLr1soVVzFSzcm56BQ=; b=TmSqVLZY0s2HZkNs/ElfbGYIQNJbvhaO+4X3rHBkNbAtldAyPBjuEf9dSOzt5B8fUP 4cTo6e6ZSGnA6ZgfWPiNT7hzdHEVVoTDayXx/Im4L9MW44yuVORn8STtv0z4Bb88waBM h8UC+em+II+wBmdeqG5ywZUvOmMWDKOZYmWbI78NVFAoMz4kfyHReXC+E6ZciCITsKAm 21jRPaCJ4UsynHJeIFden9wIDkPVLqwAJvICUShuqrN2yRYAti6SQ1Vd8nXqu6Xq4Qoh QyJ1CCC2lzrVYb/mzRcZbRuQer/nSIzMVod8fqg9VOj9uzc/u0kzVhaTNqAXGhE3W3cT 1LEQ==
X-Gm-Message-State: APjAAAUTv2o2XYMDUwwU3Q3DekyuOYAvTrManEt59/dzrA6EKWL7mMrS J4ZMak1IGvinlnLnj+iYufzKi5mGFG8gCsJl4ZE=
X-Google-Smtp-Source: APXvYqx6eBQaFonVy+zK/3q9GtMrnViRvNKxZNy2NEyb3TUWZS98qYqflrMmOusyAbE6+J7/QkIGcMi0VyqvxoAcO6U=
X-Received: by 2002:a9d:58c5:: with SMTP id s5mr18826199oth.361.1556124431174; Wed, 24 Apr 2019 09:47:11 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+LwiF3iGiRO5reW4KCgf8vp=Kv=+4pD+_rGOcxEsD1Hxk4g@mail.gmail.com> <20190422190302.GA3137@localhost> <CAMm+Lwj1BV1=UQwE8-5tPO_mxOVixfkiUjXvu+U_AgnSzzkjvg@mail.gmail.com> <CABrd9STVA=fT+oH7f4S_x8JQVaQRUJASWCY5g4pnhQL6ezWaHA@mail.gmail.com> <CAMm+LwhEGTCG7Ucu7xiv0fYZHjxAhe5D6MdU6EYN4UTi0zLnrg@mail.gmail.com> <CAG5KPzwr9oAP5270jE2N-Sw=d_g_YuhQ5_qB3W0OfggGrcU_qA@mail.gmail.com>
In-Reply-To: <CAG5KPzwr9oAP5270jE2N-Sw=d_g_YuhQ5_qB3W0OfggGrcU_qA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 24 Apr 2019 12:47:01 -0400
Message-ID: <CAMm+LwgCBAXqWspkgjGdUX-zUwEf7EtBCe8oiHYF2eoJMpR=Ng@mail.gmail.com>
To: Ben Laurie <ben@links.org>
Cc: Ben Laurie <benl@google.com>, secdispatch@ietf.org, IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f255d80587497336"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/t4P7naTsnpRVe30-orgYHSAd3ew>
Subject: Re: [saag] The Mathematical Mesh
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2019 16:47:14 -0000
On Wed, Apr 24, 2019 at 4:53 AM Ben Laurie <ben@links.org> wrote: > If we are using QR codes to connect devices, we can transmit the necessary >> information without the user needing to notice that is what we are doing. >> Otherwise, there are many existing protocols that make comparison of 15-30 >> character base 32 encoded strings as the basis for mutual authentication >> and these have proved effective and acceptable. >> > > Oh really? Evidence? > We Chat has a billion accounts and is conservatively estimated to serve about 50% of the population of China. They use QR codes for contact exchange. https://en.wikipedia.org/wiki/WeChat One of the biggest problems that we have made for ourselves is making the perfect be the enemy of the good. We insisted on end-to-end secure email and got 0.1% of the mail user population enrolled for credentials of which less than 1% use end-to-end email regularly. If you want to offer security usability testing resources to improve on the schemes I am proposing, I would be more than happy to make any changes they suggest. But right now the situation is that it took me over 15 minutes to configure Thunderbird to use S/MIME. And I know what I am doing. It is a 17 step process that requires use of a Web browser and email client and multiple switches between the two. It took me another ten minutes to find the instructions. When the current situation is that users are required to poke themselves in the eye with a sharp stick to get end-to-end security, it doesn't take very much to improve on that.
- Re: [saag] The Mathematical Mesh Nico Williams
- [saag] The Mathematical Mesh Phillip Hallam-Baker
- Re: [saag] [Secdispatch] The Mathematical Mesh Richard Barnes
- Re: [saag] [Secdispatch] The Mathematical Mesh Phillip Hallam-Baker
- Re: [saag] The Mathematical Mesh Phillip Hallam-Baker
- Re: [saag] The Mathematical Mesh Nico Williams
- Re: [saag] The Mathematical Mesh Phillip Hallam-Baker
- Re: [saag] The Mathematical Mesh Nico Williams
- Re: [saag] The Mathematical Mesh Nico Williams
- Re: [saag] The Mathematical Mesh Ben Laurie
- Re: [saag] The Mathematical Mesh Phillip Hallam-Baker
- Re: [saag] The Mathematical Mesh Ben Laurie
- Re: [saag] The Mathematical Mesh Phillip Hallam-Baker
- Re: [saag] The Mathematical Mesh Ben Laurie
- Re: [saag] The Mathematical Mesh Nico Williams
- Re: [saag] The Mathematical Mesh Phillip Hallam-Baker
- Re: [saag] The Mathematical Mesh Ben Laurie
- Re: [saag] The Mathematical Mesh Ben Laurie
- Re: [saag] The Mathematical Mesh Phillip Hallam-Baker
- Re: [saag] The Mathematical Mesh Nico Williams
- Re: [saag] The Mathematical Mesh Phillip Hallam-Baker
- Re: [saag] The Mathematical Mesh Nico Williams
- Re: [saag] The Mathematical Mesh Phillip Hallam-Baker