In my opinion I believe that for question (2) some form of hashing to English word pairs would be appropriate as it would also answer part of question (1), i.e., it would lessen the effort required to compare the fingerprints. For instance I believe the two questions you point out are tightly bound to each other.
So I completely agree with you that we should plan and go into fieldwork. George Violaris PK for encrypted messages: http://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0xEB302A1976E7482F On Tue, Mar 11, 2014 at 8:50 AM, Trevor Perrin <[email protected]> wrote: > > On Sun, Mar 9, 2014 at 8:10 PM, Joseph Bonneau <[email protected]> wrote: >> >> I'm interested in helping out as well if I can, glad to see there's some >> movement here! In particular I can help with data analysis/significance >> testing if that's something needed, though sounds like the sample size will >> be low. >> >>> >>> For the tests, I could imagine giving users pairs of fingerprints which >>> are either identical or a close match, and have them choose same/different >>> after X seconds, where X is tuned to produce a significant error rate. I'd >>> also try having one value on a screen, and the other in different formats >>> that might be used for fingerprint exchange: e.g. printed on the front of a >>> business card, displayed on a separate screen, read aloud, written on a >>> napkin, etc. >> >> >> I think I've made this point before but I think the main challenge is >> seeing how users perform not just in a quick check time wise, but one in >> which they have no reason to suspect an error, because most of the time most >> users don't think they're being attacked so they just check the beginning >> for a gross error then click through. If you tell users to check for errors, >> it may not represent very well how they'd do in practice. Perhaps the only >> way around this is to show users fingerprints which match in 99% of cases >> and see if they catch the 1% when they are mind-numbingly bored and their >> prior is low. > > > There might be two different questions here: > > 1) How much effort do users spend comparing fingerprints? > 2) For a given amount of effort, which fingerprint format works the best? > > Question (2) seems testable in the lab. > > Question (1) depends on the user and her context: Does she believe herself > to be a surveillance target? Are these sensitive communications? This > seems a question for fieldwork. > > > Trevor > > > _______________________________________________ > Messaging mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/messaging > _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
