<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi All,<div class=""><br class=""></div><div class="">Having Beer with Donncha, Yan and others in Berlin a few days ago, discussion moved to Onion-Address Human Factors.</div><div class=""><br class=""></div><div class="">Summary points: </div><div class=""><br class=""></div><div class="">1) it’s all very well to go an mine something like “facebookcorewwwi” as an onion address, but 16 characters probably already exceeds human ability for easy string comparison.</div><div class=""><br class=""></div><div class="">2) example of the above: there are already “in the field” a bunch of onion addresses “passing themselves off” as other onion addresses by means of common prefixes.</div><div class=""><br class=""></div><div class="">3) next generation onion addresses will only make this worse</div><div class=""><br class=""></div><div class="">4) from Proposal 244, the next generation addresses will probably be about this long:</div><div class=""><br class=""></div><div class=""><pre style="padding: 0px; margin-top: 0px; margin-bottom: 0px; font-size: 13.3333330154419px; widows: 1;" class=""> a1uik0w1gmfq3i5ievxdm9ceu27e88g6o7pe0rffdw9jmntwkdsd.onion
</pre></div><div class=""><br class=""></div><div class="">5) taking a cue from World War Two cryptography, breaking this into banks of five characters which provide the eyeball a point upon which to rest, might help:</div><div class=""><br class=""></div><div class=""><div class=""><pre style="padding: 0px; margin-top: 0px; margin-bottom: 0px; font-size: 13.3333330154419px; widows: 1;" class=""><div style="font-family: Helvetica; font-size: 12px; white-space: normal; widows: auto;" class=""><pre style="padding: 0px; margin-top: 0px; margin-bottom: 0px; font-size: 13.3333330154419px; widows: 1;" class=""> a1uik-0w1gm-fq3i5-ievxd-m9ceu-27e88-g6o7p-e0rff-dw9jm-ntwkd-sd.onion
</pre><div class=""><br class=""></div></div></pre></div></div><div class="">6) using underscores would be a pain (tendency to have to use SHIFT to type)</div><div class=""><br class=""></div><div class="">7) using dots would pollute subdomains, and colons would cause parser confusion with port numbers in URIs</div><div class=""><br class=""></div><div class="">8) being inconsistent (meaning: “we extract the second label and expunge anything which is not a base32 character”, ie: that with-hyphens and without-hyphens) may help or hinder, we’re not really sure; it would permit mining addresses like:</div><div class=""><br class=""></div><div class=""><font face="Menlo" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>agdjd-recognisable-word-kjhsdhkjdshhlsdblahblah.onion # illustration purposes only</font></div><div class=""><br class=""></div><div class="">…which *looks* great, but might encourage people to skimp on comparing [large chunks of] the whole thing and thereby enable point (2) style passing-off.</div><div class=""><br class=""></div><div class="">9) appending a credit-card-like “you typed this properly” extra few characters checksum over the length might be helpful (10..15 bits?) - ideally this might help round-up the count of characters to a full field, eg: XXX in this?</div><div class=""><br class=""></div><div class=""><div class=""><pre style="padding: 0px; margin-top: 0px; margin-bottom: 0px; font-size: 13.3333330154419px; widows: 1;" class=""> a1uik-0w1gm-fq3i5-ievxd-m9ceu-27e88-g6o7p-e0rff-dw9jm-ntwkd-sdXXX.onion</pre></div><div class=""><br class=""></div><div class="">10) it might be good to discuss this now, rather than later?</div><div class=""><br class=""></div><div class="">Hence this email, in the hope of kicking off a discussion between people who care about human factors. :-)</div><div class=""><br class=""></div><div class=""> - alec</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">—</div><div class="">Alec Muffett</div><div class="">Security Infrastructure</div><div class="">Facebook Engineering</div><div class="">London</div></div></div>
</div>
<br class=""></div></body></html>