Re: [messaging] Useability of public-key fingerprints

Wed, 29 Jan 2014 18:25:42 -0800 

On 30/01/14 00:32, Trevor Perrin wrote:
> SSH:      43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8
> 
> GPG:      7213 5CAA EA6B 0980 126A  0371 8373 DD15 4D42 48BD
> 
> OTR:      C4E40F71 A92175F8 597A29A7 CB7E0943 B27014FF
> 
> TACK:     g5p5x.ov4vi.dgsjv.wxctt.c5iul
> 
> Bitcoin:  31uEbMgunupShBVTewXjtqbBv5MndwfXhb
> 
> 
> SSH:     128 bits, 32 hex chars
> GPG:     160 bits, 40 hex chars
> OTR:     160 bits, 40 hex chars
> TACK:    125 bits, 25 base32 chars (RFC 4648)
> Bitcoin: 200 bits, 34 base58 chars (160 bits hash + version/checksum)
> 
> There's also some fingerprint innovations that aren't widespread:
>  - Zooko's z-base32
>  - "Hash extension" from RFC 3972 to squeeze more bits into a smaller
> fingerprint
>  - Phonetic alphabets like the PGPfone wordlist
> 

There's a common UI principle that says people can remember 7 (5-9) "things" at 
once well, where things is some sort of coherent unit. This is consistent with 
my own personal experience comparing fps.

Visually, I definitely find PGP and OTR fps easier to compare than SSH fps, OTR 
probably marginally more so, since I can hold 8 characters in my head at once. 
My eyes go something like this:

screen: C4E40F71->A92175F8  597A29A7->CB7E0943  B27014FF
           ^         |         ^         |         ^
           |         v         |         v         |
paper : C4E40F71  A92175F8->597A29A7  CB7E0943->B27014FF

which I think is the optimum since it reduces "seek time" for your eyes, given 
a limited "buffer" of characters that you can remember at once. It now takes 
probably less than 5 seconds for me to do this, after a fair bit of practise 
(maybe ~100 reps?).

I haven't had much practise comparing TACK or Bitcoin fps, but I imagine that 
TACK would be even easier than OTR. The separators are massively helpful and 
vital in my opinion if you expect people to visually compare them. SSH goes a 
bit overboard though, going past the "5-9" range.

Verbally, I haven't tried doing this. I guess the same principle would apply, 
and the S/Key (OPIE) dictionary thing that Nate posted seems interesting. It 
would be interesting to come up with a scheme that is easy to compare both 
verbally and visually. FWIW, I imagine I'd find it easier to remember 7 spoken 
random words, than 7 written random words, which is an asymmetry I can't quite 
explain.

X

-- 
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Messaging mailing list
[email protected]
https://moderncrypto.org/mailman/listinfo/messaging

Reply via email to