### Re: [Secdispatch] [saag] The Mathematical Mesh

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 24 April 2019 21:15 UTC

Return-Path: <hallam@gmail.com>

X-Original-To: secdispatch@ietfa.amsl.com

Delivered-To: secdispatch@ietfa.amsl.com

Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id EB26E120290;
Wed, 24 Apr 2019 14:15:53 -0700 (PDT)

X-Virus-Scanned: amavisd-new at amsl.com

X-Spam-Flag: NO

X-Spam-Score: -1.646

X-Spam-Level:

X-Spam-Status: No, score=-1.646 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25,
FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001,
HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no

Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 0nvUxaYvHgB3; Wed, 24 Apr 2019 14:15:52 -0700 (PDT)

Received: from mail-oi1-f174.google.com (mail-oi1-f174.google.com
[209.85.167.174])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 3DB7A12014E;
Wed, 24 Apr 2019 14:15:52 -0700 (PDT)

Received: by mail-oi1-f174.google.com with SMTP id v10so15527242oib.1;
Wed, 24 Apr 2019 14:15:52 -0700 (PDT)

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=aH23A9foeZfCYyknRPZWdPQU/jqp+lqDwufuX+TPgjU=;
b=HmdVIIeW7ucJOrCc6Mr5rWsOD4ekXk5Dvlxyc8H08J2p8N+qbcB/HuK6nOl5mYjq0V
6t40O3n5qyhu5kJ8xH5TsmygDc07KTHNauXGSeza+b1rQdkwFp5n6Uy1+GA2afNSnkDZ
uBqH/NsNi/HhfV/ejrjiqb6TNXdERWTLXId84Ogb1BOYH+HiRgA27sjIvaSS9Gnl2ntY
IYtEQXJwol60sZp0Np7XTgtxB+PQeY+8OlUCJuEKlWN0LcywMrJ+jt9B7OYrLqZj9mQg
TMOBe+8PimrrsCWGlaxnwymvYesIiNGjzGPYoUUdxofbYlUQhkyTLCdjzme27ZOu4EA0
58HQ==

X-Gm-Message-State: APjAAAUPGL61/bpV49J3gGMrZiPVkl+raeL2T6jJcV6RWKAh1rkWDi5k
KdsFYmPJ3fOU7Wy5VmgBqeJkWVxeD9qBEv0wp80=

X-Google-Smtp-Source: APXvYqyjnBzS2yQSRMcU8bWhwV2QLt3shR+5HaTLbjy0BMDybj+GMwA/+ad3oDBEwRcRTYadxcKtMpTf9fK9f3jxAnE=

X-Received: by 2002:aca:43d5:: with SMTP id q204mr838602oia.100.1556140551442;
Wed, 24 Apr 2019 14:15:51 -0700 (PDT)

MIME-Version: 1.0

References: <CAMm+LwiF3iGiRO5reW4KCgf8vp=Kv=+4pD+_rGOcxEsD1Hxk4g@mail.gmail.com>
<20190422190302.GA3137@localhost>
<CAMm+Lwj1BV1=UQwE8-5tPO_mxOVixfkiUjXvu+U_AgnSzzkjvg@mail.gmail.com>
<CABrd9STVA=fT+oH7f4S_x8JQVaQRUJASWCY5g4pnhQL6ezWaHA@mail.gmail.com>
<CAMm+LwhEGTCG7Ucu7xiv0fYZHjxAhe5D6MdU6EYN4UTi0zLnrg@mail.gmail.com>
<CAG5KPzwr9oAP5270jE2N-Sw=d_g_YuhQ5_qB3W0OfggGrcU_qA@mail.gmail.com>
<CAMm+LwgCBAXqWspkgjGdUX-zUwEf7EtBCe8oiHYF2eoJMpR=Ng@mail.gmail.com>
<CAG5KPzxC09HFmR4YaGPPxZRene_ix=XWs02JVoWmiDRTSybvWA@mail.gmail.com>
<CAMm+Lwjp9Ybn3TWp0xppEFXmD4mZB6RAs6cXvBpsSx5HxWPd+A@mail.gmail.com>
<CABrd9STTKHT4k_aB2UX0ke+B6bfFBXNm4pcv8q4aiT=o1TJW-A@mail.gmail.com>

In-Reply-To: <CABrd9STTKHT4k_aB2UX0ke+B6bfFBXNm4pcv8q4aiT=o1TJW-A@mail.gmail.com>

From: Phillip Hallam-Baker <phill@hallambaker.com>

Date: Wed, 24 Apr 2019 17:15:41 -0400

Message-ID: <CAMm+LwiN70VDU+LarBBuFfcEkP4Rbjm2VqaqduO2HNU+tg059Q@mail.gmail.com>

To: Ben Laurie <benl@google.com>

Cc: Ben Laurie <ben@links.org>, secdispatch@ietf.org, IETF SAAG <saag@ietf.org>

Content-Type: multipart/alternative; boundary="000000000000ca1a1b05874d349e"

Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/mIZAoV9o7lSWiTfdo_APTN6AA2Q>

Subject: Re: [Secdispatch] [saag] The Mathematical Mesh

X-BeenThere: secdispatch@ietf.org

X-Mailman-Version: 2.1.29

Precedence: list

List-Id: Security Dispatch <secdispatch.ietf.org>

List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>,
<mailto:secdispatch-request@ietf.org?subject=unsubscribe>

List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>

List-Post: <mailto:secdispatch@ietf.org>

List-Help: <mailto:secdispatch-request@ietf.org?subject=help>

List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>,
<mailto:secdispatch-request@ietf.org?subject=subscribe>

X-List-Received-Date: Wed, 24 Apr 2019 21:15:54 -0000

On Wed, Apr 24, 2019 at 2:01 PM Ben Laurie <benl@google.com> wrote: > > > On Wed, 24 Apr 2019 at 18:49, Phillip Hallam-Baker <phill@hallambaker.com> > wrote: > >> >> The reason that the World Wide Web exists at all is that Tim Berners-Lee >> ignored the sage advice of the hypertext community that referential >> transparency was essential and pressed ahead with 'scruffy links'. Nobody >> did usability testing to decide whether the gopher or Web UI was the >> approach to follow until long after we knew the answer. >> > > This is a clear case of survivorship bias. The users did the usability > testing. WWW survived (despite being technically terrible in many ways), > the competitors did not. > The Web had 100 users in the fall of 1992 when it was first demonstrated in public. There were at least two dozen competing network hypertext systems, most of which were far better financed than the Web which had two full time staff at the time. Nine months later the Web had over a million users and it was game over for every other network hypertext scheme apart from Acrobat which had already begun merging itself with the Web to survive. There was rather more than survivor bias at work there. One of the biggest differences between the Web and everything else was that Eric Binna paid immense attention to the quality of his software distributions. He provided binary distributions for a start and the code compiled from source. We paid a great deal of attention to usability but we never had the resources to test any of it. There was never a testing lab at CERN for a start. Or at NCSA as far as I am aware. Come to think of it, when VeriSign acquired the old Netscape HQ, I pushed for the construction of a usability lab. Which means that there wasn't one in the building when we moved in. Right now, I have no means of knowing if an email from my bank is actually >> an email from my bank or not. And that should be considered a problem. The >> problem I have with discussions of usability is that the argument is made >> that because we might not be able to serve every user we should just give >> up and never try to change anything. >> > > Well, the problem I have with discussions of usability is the argument is > made that we should leave that until all the tech is figured out, or that > we don't need to bother because the thing is obviously better. Going from > .1% to 1% is clearly an improvement, but it is not a solution. > Like I said, I am more than happy to accept input on how to do UI better. But I am not going to be blocked on those resources. At this point I have one employee and a seven figure budget. To start thinking about UI testing I need to have more developers and a bigger budget. > BTW, my original question was not about QR codes (though I have my doubts > about those), but about this assertion about usability: "Otherwise, there > are many existing protocols that make comparison of 15-30 character base 32 > encoded strings as the basis for mutual authentication and these have > proved effective and acceptable." > I have entered product activation keys and lived. Adobe managed to sell software with that requirements for decades. So they are not a show stopper for at least some part of the audience. I am requiring only comparison of two codes, not entry. I accept that this is not the ideal approach and in the spec I suggest using BASE32K encoding based on dictionaries of words or images. Since the connection mechanism only requires comparison for equality, we don't have to be restricted to something that can be entered on a keyboard. Images would be the ideal of course because they can be language independent. 'Are these nine pictures the same' is a pretty easy question to answer. The work factor for the UDF approach would be (9*15)-8 = 127. 2^127 is sufficient for most purposes. Comparing nine pictures for equality is relatively straightforward. I haven't gone into this in detail as yet, but my rough strategy for managing the dictionaries is to 1) Sort the entries into a canonical sort order 2) Form a Merkle tree of the result. 3) Publish the apex of the tree in some tamper-proof fashion. This avoids the need to store the entire dictionary on every device which is important even for unconstrained devices. The image dictionary is going to be huge and word dictionaries have to be customized to the user's language. It has not escaped my notice that I could use this as a funding mechanism for the Mesh itself. The million dollar image dictionary. Companies could pay to contribute images to the corpus, part of which could be reserved for advertising. If the system was used a million times a day, $1 would buy nine exposures of the image per day in perpetuity. Or until someone decided to do an advert-free version.

- [Secdispatch] The Mathematical Mesh Phillip Hallam-Baker
- Re: [Secdispatch] The Mathematical Mesh Richard Barnes
- Re: [Secdispatch] The Mathematical Mesh Phillip Hallam-Baker
- Re: [Secdispatch] [saag] The Mathematical Mesh Nico Williams
- Re: [Secdispatch] [saag] The Mathematical Mesh Phillip Hallam-Baker
- Re: [Secdispatch] [saag] The Mathematical Mesh Nico Williams
- Re: [Secdispatch] [saag] The Mathematical Mesh Phillip Hallam-Baker
- Re: [Secdispatch] [saag] The Mathematical Mesh Nico Williams
- Re: [Secdispatch] [saag] The Mathematical Mesh Nico Williams
- Re: [Secdispatch] [saag] The Mathematical Mesh Ben Laurie
- Re: [Secdispatch] The Mathematical Mesh Michael Richardson
- Re: [Secdispatch] [saag] The Mathematical Mesh Phillip Hallam-Baker
- Re: [Secdispatch] [saag] The Mathematical Mesh Ben Laurie
- Re: [Secdispatch] [saag] The Mathematical Mesh Phillip Hallam-Baker
- Re: [Secdispatch] [saag] The Mathematical Mesh Ben Laurie
- Re: [Secdispatch] [saag] The Mathematical Mesh Nico Williams
- Re: [Secdispatch] [saag] The Mathematical Mesh Phillip Hallam-Baker
- Re: [Secdispatch] [saag] The Mathematical Mesh Ben Laurie
- Re: [Secdispatch] [saag] The Mathematical Mesh Ben Laurie
- Re: [Secdispatch] [saag] The Mathematical Mesh Phillip Hallam-Baker
- Re: [Secdispatch] [saag] The Mathematical Mesh Nico Williams
- Re: [Secdispatch] [saag] The Mathematical Mesh Phillip Hallam-Baker
- Re: [Secdispatch] [saag] The Mathematical Mesh Nico Williams
- Re: [Secdispatch] [saag] The Mathematical Mesh Phillip Hallam-Baker