On 11/30/15, Ximin Luo <[email protected]> wrote: > On 30/11/15 03:09, Karl wrote: >> On 11/29/15, Ximin Luo <[email protected]> wrote: >>> >>> (To put it another way, "self-authenticating" is a joke. My GPG >>> fingerprint >>> is self-authenticating too. Just go talk to 0x1318efac5fbbdbce, it >>> doesn't >>> matter who that is in real life.... what? no takers?) >> >> It seems reasonable to me that the important part of somebody's >> identity would be their behavior rather than their body or name. But >> to use fingerprints as identifiers, you'd need a way for humans to >> remember and compare them. Some way of hashing data into something >> memorable but complex enough to be collision-resistant, like a >> detailed image of a computer-generated human face. >> >> I wonder if anybody's done something like that. >> > > For an authentication system to actually be safe, it needs to allow me to > *distinguish* my contact from any other attacker. For a cryptographic > protocol, this means that my contact must know some secret information that > attackers do not have. One can generally assume that "behaviour" / > "biometrics" do not fit this secrecy requirement since an attacker can just > forge it - sometimes literally by copying it as it is generated, as is > effectively what happens in MITM.
Right. I imagine the face is generated from the fingerprint of the public key. Hence copying it would require generating enough keys to find a human-believable collision, as would be equivalently done to fake .onion addresses or pgp key fingerprints. We're a lot better at remembering and comparing the details of faces than numbers, and we readily associate them with identities. I suppose some video game probably has a character generator detailed enough to feed a key fingerprint into. _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
