On Aug 23, 2008, at 9:39 AM, Jonathan Schleifer wrote:
Am 23.08.2008 um 00:34 schrieb Pedro Melo:
As for UI for the SAS exchange, I'm partial to the use of the
Mnemonic encoder with a GUI like this: http://mooseyard.com/Jens/
2008/04/cloudy-verification/ (page down, about three or four
screens).
That idea is pretty smart. The user can't just click ok. The other,
wrong combinations of words a generated locally, I hope?
Yes. Its not specified on the post, but I assume that you run some
xor a couple of times and generate the mnemonic of those values and
show them to the user.
Or barrel shift the word. take your pick. As long as you make sure
you don't end up with the same 32bit value :)
But what about the case clicking the right one without verifying?
With just a few possible answers, that's quite likely.
Increase the list and place the correct one in a random position.
Don't put the correct one always at the top. I don't think you can do
better than that and keep it simple.
See the comments on the post. Jens actually talks about that. I agree
with him. If you want complete assurance, you might as well force the
user the compare the full sig.
BTW, the only think I would add to that UI would be a
"Advanced" (hidden by default) section where you could find the full
sig, for real security conscious users.
Best regards,
--
Pedro Melo
Blog: http://www.simplicidade.org/notes/
XMPP ID: [EMAIL PROTECTED]
Use XMPP!
