[tor-talk] Tor for everyone; introducing Eccentric Authentication

Guido Witmond guido at witmond.nl
Wed Feb 24 22:04:39 UTC 2016 

On 02/24/16 00:22, Allen wrote:
>>
>> Secondly, with the requirement that nickname at sitename.tld to be unique,
>> I could write that nickname on a business card and hand it out. People
>> could verify at a verification service that there is only one
>> certificate (and public key) for that name and be sure to have gotten
>> *my* public key. From that point, they can send encrypted messages to me.
>>
> 
> That's not a service that I would use myself.  If I wanted people to be
> able to get my public key from a business card, I would print the key
> itself on my card using a QR code.  The other stuff you listed also don't
> have much interest to me personally, but I can't speak for anyone else.

Granted, it's secure to print a fingerprint on a business card but it's
not so user friendly. And as studies[1] have shown, most 'normal' people
won't be as judiciously with fingerprint validation as the security
minded. And I believe both groups deserve the same strength in security.

Would you use this service if all you'd have to do is type in the users'
nickname at site and your computer would validate if there is only one
certificate attached to that name. If so, you can be sure that only the
intended recipient can decrypt it. If the computer would find multiple
certificates - or none at all - it would give an error and doesn't allow
communication because it couldn't determine the correct public key to use.

Or what about being able to scribble a nickname at site address at the back
of a beer coaster in a bar.

My drive is to make key exchange happen as a natural part of normal
interactions between people. Not as a separate step that could be
neglected, forgotten or done wrong.


Regards, Guido Witmond.

1a: Why Johnny can't encrypt.
1b: Engineering Security, by Peter Gutmann.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20160224/8718953a/attachment.sig>

More information about the tor-talk mailing list