On Sun, Mar 23, 2014 at 5:56 PM, Daniel Kahn Gillmor <[email protected]> wrote: > > I think the proposal i mentioned earlier (one-use strong DH keys that > users print a stack of beforehand) is worth including in this bestiary. > Even if we decide ultimately that it is logisitically too expensive, > it's a useful contrast to the others.
OK, Though I'm calling this "not great useability" because you still have to print and carry a deck of cards, handle card halves, and type in ~256 bits of ECDH key (51 base32 chars?). Some other changes: - If you're doing lookups through PIR mirrors instead of through the user's intro-cert directory, maybe you don't need to exchange the directory name? The PIR thing is still a huge question mark, but I'll pretend that works. - Fingerprint or multi-use ECDH keys have the benefit that you get the user's long-term fingerprint which can be corroborated with 3rd-parties to make sure it's correct. - Fingerprint or multi-use ECDH keys have the downside that you get the user's long-term pseudonym, so it doesn't have the "unlinkable pseudonym" property by default - users can figure out they're corresponding with the same party. Different methods and their disadvantages - 1) Secret exchange - asking people to think up sufficient entropy on the fly seems risky and low useability - using non-computer tools to generate entropy seems low useability (shuffling cards, rolling dice, tearing "tickets" in half, etc.) - central rendezvous server / DHT needed - fingerprints must be exchanged separately (if desired) 2) "Human-sized" ECDH key exchange - smallish keys (32 base32 chars = 80 bit security) - low "forward secrecy for linkages" unless you change the key frequently - central rendezvous server / DHT needed - needs user preparation before meeting - doesn't provide "unlinkable pseudonyms" - users can figure out they're corresponding with the same party 3) "One-time cards" ECDH key exchange - not great useability (print / carry / exchange card halves, type in ~256 bits ECDH key per contact) - central rendezvous server / DHT needed (unless printed on card?) - needs user preparation before meeting - fingerprints must be exchanged separately (if desired) 4) Fingerprint exchange - needs PIR (??) to make "intro-cert" lookups unlinkable - needs user preparation before meeting - doesn't provide "unlinkable pseudonyms" - users can figure out they're corresponding with the same party Trevor _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
