-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 30/01/14 02:24, Ximin Luo wrote: > There's a common UI principle that says people can remember 7 (5-9) > "things" at once well, where things is some sort of coherent unit. > This is consistent with my own personal experience comparing fps. > > Visually, I definitely find PGP and OTR fps easier to compare than > SSH fps, OTR probably marginally more so, since I can hold 8 > characters in my head at once.
https://en.wikipedia.org/wiki/Working_memory#Capacity Eight is above average - we should design for below-average. My intuition about alphabets is that uncertainty about the alphabet slows people down. For example, if people don't know that an OTR fingerprint is case-insensitive hex, they may read "B03F" as "capital b, capital o... no, sorry, zero... three, capital f". Likewise they may read out punctuation that's used to group the symbols. Think about speaking to a stranger over a bad phone line. Digits can be communicated fairly efficiently in groups of two or three. Letters require the phonetic alphabet, and if you don't both know that the other person's familiar with it, that means "a for alpha, b for bravo" rather than "alpha, bravo". If you have to pronounce lowercase and uppercase as well, something like base58 becomes less time-efficient than decimal digits. But I think we can circumvent this whole problem for the common case of face-to-face comparison. In that case we can either use QR codes, as Daniel suggested, or kick off an ephemeral key exchange with hash commitment, use short authentication strings to authenticate the ephemeral key exchange, then use the ephemeral authenticated channel to compare whatever we need to compare. Cheers, Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBCAAGBQJS6kD+AAoJEBEET9GfxSfM8WMIAMHjc7/M1E0lcJFCVnw3FyVl RxrA3VYYbvbUcKSCQGhDFmhrkxF6xudx6D4qRCkRLbw3zuHfIgKKcjT3ll8h3tqU 8JM0R4rbxxerDrqKms4OrT+fX/90bPnljVN1o4DK2oSSHsE4hyvu98S0TyjKEmA0 T0F5wI/aRNfdWj/YBu/VkGor7mH2FO+wydCuwNzQrE5j4zaW5VqqDN4SnJlfkIfA TlGN4SEts0wdoAHfGpLH1TqltJOrAMDahVvFDEtlbHhMY7SIE9Q0IWzaH9KKS1T8 uP7+tJSqh9QAI7JiI3lIFMJSQSrZyLywcJL+8MSCwLN6xsSTBpUthzmCiTof/tM= =dndX -----END PGP SIGNATURE----- _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
