Re: [Secdispatch] [saag] The Mathematical Mesh

Ben Laurie <> Wed, 24 April 2019 16:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DFA76120321; Wed, 24 Apr 2019 09:52:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.647
X-Spam-Status: No, score=-1.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZAoVZtWynhBu; Wed, 24 Apr 2019 09:52:37 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 065BF12034D; Wed, 24 Apr 2019 09:52:34 -0700 (PDT)
Received: by with SMTP id b3so6198315qtc.12; Wed, 24 Apr 2019 09:52:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tFpPR5uf0JdoufkYR8azFQdCri8mvMkH4yWRLJXALZA=; b=XdyO5oAq1WbX19BEnM9ksAXViR+BYbHaMOzkXBWpqd4kj70PyD17QxEra57sDRX7VS Xr/Ax12mS2dXI/C0d+2L5i9huReq4MLICEkWxLlCSd6iTWwbHMTXwZVsSDBrvlCdGCwb 2q5EtcgBI29u0LUpV6tMcSc612IpSX/Vb4T0OoaJV41TZAL2UW17oMV8Rl98qJR4MUV/ sVIPzZr2v4krpZ6guj0lnG9nCkLls+GAT82Yudk5CCPJc0gV+i8LgIeoYTcue+lD0fNn XuIvMwF08bfvNOyJ5OJwFWrDf6cjVg81YT2RM+6vAXpMHx+ZxTE30Cm/ZnwARvaGrMo2 OmRQ==
X-Gm-Message-State: APjAAAXUeOwYEVWUGlNjCRtSJUiIuGMbs6NPkX7J/GfW1u7KPI6vk1pI Rel8RYUmx29pJPX70Tc6UuSozxdEHhnkLu25Fi0=
X-Google-Smtp-Source: APXvYqzEUYSymcFVD1QmG5kjPPjR1qQqhZcfi1QfGXLfgbXmWYgXufUUJRIQrfIOMhkQpf/bp2LF9Yx1r7oug8ImNoA=
X-Received: by 2002:a0c:fe4a:: with SMTP id u10mr5442559qvs.182.1556124752978; Wed, 24 Apr 2019 09:52:32 -0700 (PDT)
MIME-Version: 1.0
References: <> <20190422190302.GA3137@localhost> <> <> <> <> <>
In-Reply-To: <>
From: Ben Laurie <>
Date: Wed, 24 Apr 2019 17:52:22 +0100
Message-ID: <>
To: Phillip Hallam-Baker <>
Cc: Ben Laurie <>,, IETF SAAG <>
Content-Type: multipart/alternative; boundary="00000000000020a8db058749870f"
Archived-At: <>
Subject: Re: [Secdispatch] [saag] The Mathematical Mesh
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Apr 2019 16:52:39 -0000

On Wed, 24 Apr 2019 at 17:47, Phillip Hallam-Baker <>

> On Wed, Apr 24, 2019 at 4:53 AM Ben Laurie <> wrote:
>> If we are using QR codes to connect devices, we can transmit the
>>> necessary information without the user needing to notice that is what we
>>> are doing. Otherwise, there are many existing protocols that make
>>> comparison of 15-30 character base 32 encoded strings as the basis for
>>> mutual authentication and these have proved effective and acceptable.
>> Oh really? Evidence?
> We Chat has a billion accounts and is conservatively estimated to serve
> about 50% of the population of China. They use QR codes for contact
> exchange.

"In China, digital marketing around QR code is an environmental feature of
some international cities, such as Guangzhou, Shanghai and Beijing."

Not so much around these parts.

> One of the biggest problems that we have made for ourselves is making the
> perfect be the enemy of the good. We insisted on end-to-end secure email
> and got 0.1% of the mail user population enrolled for credentials of which
> less than 1% use end-to-end email regularly.

This I do very much agree with.

> If you want to offer security usability testing resources to improve on
> the schemes I am proposing, I would be more than happy to make any changes
> they suggest.
> But right now the situation is that it took me over 15 minutes to
> configure Thunderbird to use S/MIME. And I know what I am doing. It is a 17
> step process that requires use of a Web browser and email client and
> multiple switches between the two. It took me another ten minutes to find
> the instructions.
> When the current situation is that users are required to poke themselves
> in the eye with a sharp stick to get end-to-end security, it doesn't take
> very much to improve on that.

I don't disagree with this, either. I do object, however, to assertions
that things are obviously usable.