On 30/11/15 03:09, Karl wrote: > On 11/29/15, Ximin Luo <[email protected]> wrote: >> On 30/11/15 00:53, Ethan Heilman wrote: >>>> No human user thinks in terms of contacting cryptographic identities. >>>> [..] >>> >>> Am I correct in my understanding that .onion addresses work this way? >>> >> [..] >> >> (To put it another way, "self-authenticating" is a joke. My GPG fingerprint >> is self-authenticating too. Just go talk to 0x1318efac5fbbdbce, it doesn't >> matter who that is in real life.... what? no takers?) > > It seems reasonable to me that the important part of somebody's > identity would be their behavior rather than their body or name. But > to use fingerprints as identifiers, you'd need a way for humans to > remember and compare them. Some way of hashing data into something > memorable but complex enough to be collision-resistant, like a > detailed image of a computer-generated human face. > > I wonder if anybody's done something like that. >
For an authentication system to actually be safe, it needs to allow me to *distinguish* my contact from any other attacker. For a cryptographic protocol, this means that my contact must know some secret information that attackers do not have. One can generally assume that "behaviour" / "biometrics" do not fit this secrecy requirement since an attacker can just forge it - sometimes literally by copying it as it is generated, as is effectively what happens in MITM. X -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
