Phillip Hallam-Baker <phill(_at_)hallambaker(_dot_)com> writes:
On Tue, Apr 28, 2015 at 10:14 AM, Derek Atkins <derek(_at_)ihtfp(_dot_)com>
wrote:
Phillip Hallam-Baker <phill(_at_)hallambaker(_dot_)com> writes:
The idea is that when someone is typing in the fingerprint, the client
can perform a parity check to see if the fingerprint data is correct
as the user is typing rather than waiting to the end.
Why would someone type in a fingerprint? Could you give me a use-case
for that?
The only use case I've ever seen is that you copy-and-paste it onto your
business card (or presentation, or other printed/distributed material),
and then the verifier performs a visual match later between the printed
material and their verification screen.
Well, I would flip it round then and say, why would a user ever
interact with a fingerprint other than on a business card?
I've seen them on business cards, web sites (not sure why I'd believe
that), and printed on Letter paper at keysigning parties. But my
question remains unanswered: When would someone ever need to *TYPE* in a
fingerprint?
The only time that I think a fingerprint would need its own checksum is
if users are actually keying a fingerprint in for some reason. I don't
see any use case where this would ever happen.
There are many other cases where devices will be exchanging
fingerprints under the covers. But I don't expect the user to ever see
those. If we meet at IETF and bump iPhones then I don't expect to see
a fingerprint unless I open up an 'advanced' tab.
Sure, and in these cases you can just use the binary fingerprint
directly. Or better yet, exchange the full keys/certificates.
[snip]
When it comes down to it, business cards and legal documents are the
only places I expect the base32 fingerprint to be seen.
*nods* -- and need to be visually inspected/compared.
That said, I am really on the fence on Base32C. Another way to skin
the same cat would be to have an interactive protocol with whatever
service uses fingerprints as index terms. With a population of a
million keys (2^20) a fingerprint should start to become unique after
the fourth letter is typed. So the service could easily construct a
'did you mean' concordance.
Interesting concept.. But again, why would you be typing it in? What's
the use case here? The only use-cases I've seen are where the user
visually verifies that the printed fingerprint == the computed
fingerprint.
-derek
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp