Re: [Secdispatch] [saag] The Mathematical Mesh

Phillip Hallam-Baker <> Wed, 24 April 2019 16:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 91E55120321; Wed, 24 Apr 2019 09:47:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.645
X-Spam-Status: No, score=-1.645 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CLlCEQE6cUne; Wed, 24 Apr 2019 09:47:13 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E061B12024A; Wed, 24 Apr 2019 09:47:12 -0700 (PDT)
Received: by with SMTP id d24so14024408otl.11; Wed, 24 Apr 2019 09:47:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uLDyotKJNNgcq5CTRgRhsvrmNKLr1soVVzFSzcm56BQ=; b=TmSqVLZY0s2HZkNs/ElfbGYIQNJbvhaO+4X3rHBkNbAtldAyPBjuEf9dSOzt5B8fUP 4cTo6e6ZSGnA6ZgfWPiNT7hzdHEVVoTDayXx/Im4L9MW44yuVORn8STtv0z4Bb88waBM h8UC+em+II+wBmdeqG5ywZUvOmMWDKOZYmWbI78NVFAoMz4kfyHReXC+E6ZciCITsKAm 21jRPaCJ4UsynHJeIFden9wIDkPVLqwAJvICUShuqrN2yRYAti6SQ1Vd8nXqu6Xq4Qoh QyJ1CCC2lzrVYb/mzRcZbRuQer/nSIzMVod8fqg9VOj9uzc/u0kzVhaTNqAXGhE3W3cT 1LEQ==
X-Gm-Message-State: APjAAAUTv2o2XYMDUwwU3Q3DekyuOYAvTrManEt59/dzrA6EKWL7mMrS J4ZMak1IGvinlnLnj+iYufzKi5mGFG8gCsJl4ZE=
X-Google-Smtp-Source: APXvYqx6eBQaFonVy+zK/3q9GtMrnViRvNKxZNy2NEyb3TUWZS98qYqflrMmOusyAbE6+J7/QkIGcMi0VyqvxoAcO6U=
X-Received: by 2002:a9d:58c5:: with SMTP id s5mr18826199oth.361.1556124431174; Wed, 24 Apr 2019 09:47:11 -0700 (PDT)
MIME-Version: 1.0
References: <> <20190422190302.GA3137@localhost> <> <> <> <>
In-Reply-To: <>
From: Phillip Hallam-Baker <>
Date: Wed, 24 Apr 2019 12:47:01 -0400
Message-ID: <>
To: Ben Laurie <>
Cc: Ben Laurie <>,, IETF SAAG <>
Content-Type: multipart/alternative; boundary="000000000000f255d80587497336"
Archived-At: <>
Subject: Re: [Secdispatch] [saag] The Mathematical Mesh
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Apr 2019 16:47:14 -0000

On Wed, Apr 24, 2019 at 4:53 AM Ben Laurie <> wrote:

> If we are using QR codes to connect devices, we can transmit the necessary
>> information without the user needing to notice that is what we are doing.
>> Otherwise, there are many existing protocols that make comparison of 15-30
>> character base 32 encoded strings as the basis for mutual authentication
>> and these have proved effective and acceptable.
> Oh really? Evidence?

We Chat has a billion accounts and is conservatively estimated to serve
about 50% of the population of China. They use QR codes for contact

One of the biggest problems that we have made for ourselves is making the
perfect be the enemy of the good. We insisted on end-to-end secure email
and got 0.1% of the mail user population enrolled for credentials of which
less than 1% use end-to-end email regularly.

If you want to offer security usability testing resources to improve on the
schemes I am proposing, I would be more than happy to make any changes they

But right now the situation is that it took me over 15 minutes to configure
Thunderbird to use S/MIME. And I know what I am doing. It is a 17 step
process that requires use of a Web browser and email client and multiple
switches between the two. It took me another ten minutes to find the

When the current situation is that users are required to poke themselves in
the eye with a sharp stick to get end-to-end security, it doesn't take very
much to improve on that.