Trevor Perrin <[email protected]> writes: >(A) Most people will never check or understand public-key fingerprints, so we >need something more automatic (eg TOFU and/or trusted infrastructure)
See for example "Do Users Verify SSH Keys?" (Abstract: "No"), https://www.usenix.org/system/files/login/articles/105484-Gutmann.pdf. >(B) Those users who *are* motivated to deal with fingerprints will be >motivated enough to make them work whether 25 or 40 chars, base32 or base16, >etc. They'll be motivated enough to do some checking, but given result from work on fuzzy fingerprints (referenced in the above article) no-one but the most singularly OCD will actually do the check properly, i.e. rigorously check all 40 characters for every key they deal with. Peter. _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
