(Picking up an old thread)
On Thu, Jan 10, 2013 at 6:49 PM, Sean Lynch <[email protected]> wrote:
> When you start the application for the first time, it prompts you to
> generate a public key or import one (it could be generated from a
> password, but this has some problems associated with it). It lets you
> put any metadata you want on the key, then connects to the network via
> an included list of seed peers, or you could type them in yourself. The
> application would then maintain a list of known reachable peers for
> future connections.
>
There was a lot of discussion on this list on how keys themselves are very
offputting to the casual user. But what if you converted the key into
something more familiar, like a Gravatar image, or even just watermarking
in some other image? So it could be something like:
1. "Welcome to Cryptosphere! How do you want to appear to other users?"
a. Take a picture now with my webcam
b. Choose a picture from Facebook
c. Choose a picture from disk
d. Generate a cool fractal image
2. (Watermarks the photo with your public key, perhaps with a "Connect with
me on Cryptosphere!" logo in the corner.)
3. Great, we've embedded some special information in this photo. Send a
copy to anyone whoever you like (by email, text, Facebook, etc) and they
will be able to connect with you securely via Cryptosphere.
4. Do you want to replace your Facebook photo with this image and so all
your friends can contact you on Cryptosphere?"
Basically, co-opt something that is already very familiar to deliver the
public key, and it might not be so scary.
And before anybody panics about Facebook not being a secure way to
introduce yourself, I'd highlight that every other medium is subject to the
same vulnerability. The best solution there would be to encourage
everybody to connect with each other via multiple mediums (Facebook, email,
text, AIM) and then confirm that the same key came through all mediums
before accepting the request. The more mediums that check out (especially
when routing requests through friends), the less likely *all* of them have
been simultaneously and surreptitiously compromised.
-david
_______________________________________________
p2p-hackers mailing list
[email protected]
http://lists.zooko.com/mailman/listinfo/p2p-hackers
