Jonathan Schleifer <[EMAIL PROTECTED]> writes: > GPG should only be an option and not the default, never more, as GPG > is not user friendly to the average user.
I don't think non-technical users need to ever see anything except similar user interfaces as shown earlier in this thread. > It wouldn't really work with a dialog like that. We already have > problems getting people to verify the SAS, how do you expect them to > verify a fingerprint? ;) You can transform an OpenPGP key fingerprint into a SAS-like string, if that makes you feel better, and ask users to verify that. Hash the OpenPGP fingerprint, truncate it and encode it using the same length and characters as used by SAS today. If you don't think that is acceptable, the challenge is yours to come up with something better. The security industry have been trying for many years... I'm not aware of any technology that is more secure and simpler to use than TLS+OpenPGP with user-assisted fingerprint verification, but I'd love to hear your counter-proposal. Disclaimer: I haven't studied the ESession protocol. /Simon
