On 09/30/2011 11:09 AM, Alex Stapleton wrote: > http://haacked.com/archive/2007/01/22/Identicons_as_Visual_Fingerprints.aspx
This link seems to come up often when talking about fingerprint
comparisons. I am not convinced it is a good idea from a cryptographic
standpoint.
I think identicons would succeed in providing a simple way to
automatically visually distinguish two different-yet-cooperating parties.
I have yet to see any analysis showing that an attacker couldn't coerce
the digested data to create an identicon that most normal humans would
consider to be a "match".
Good for easy visual distinction between cooperating parties is not the
same thing as a strong cryptographic assurance against a malicious
impersonator.
In particular, i'm quite dubious of any web site with claims like the
following:
>> Of course, in this situation, the security minded person would use an
>> automated MD5 checksum checker rather than manually confirming the
>> binary. But do you trust your md5 checksum checker? A quick visual
>> confirmation would be a nice additional vote of confidence in this
>> scenario.
If you don't trust your md5 checksum utility, why do you trust your png
renderer (or your display controller, or your operating system, etc)?
Identicons are a neat idea, but without a lot more defensively-oriented
analysis, they're not something to be used in a critical context like
strong establishment of identity.
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
