[FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification

[Thomas Schorpp]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Shaw wrote:
| On Fri, Jul 16, 2004 at 05:30:45PM +0200, Thomas Schorpp wrote:
|
|>hello @all,
|>
|>since its little hard to cross-verify fingerprints on websites and
|>especially over telephone calls with human voice conversation due to
|>the long hexidecimal printouts of gpg --fingerprint, this could be a
|>significant issue to the whole openpgp trust verification system
|>impliing failure on human error.
|>
|>in short: its good reason therefore to have the old pgp way of
|>option to print out the fingerprint the "military style",
|>eg. "alpha, delta" easier and more securely human processable
|>substitutes for "0abc, cd ef" in gnupg, kgpg and enigmail, maybe
|>interesting for the ägypten projects too.
|
|
| The problem with this sort of thing is translation.  I don't know what
| "Alpha Bravo Charlie Delta Echo Foxtrot" would be in other languages,
| or even if it would be pronounced the same way.  Still, this is an ITU
| standard, so perhaps it would be familiar enough.
|
| http://www.columbia.edu/~fuat/cuarc/phonetic.html has a lot of
| phonetic alphabets.
|
| Incidentally, PGP has what their marketing calls "biometric"
| fingerprints.  This is just a word list so people don't have to read
| out the hex fingerprint.  For example, my key fingerprint is:
|
|     7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560
|
| But in "biometric" form, it is:
|
|     klaxon         misnomer       willow         company
|     cleanup        potato         upset          hurricane
|     drainage       resistor       python         outfielder
|     suspense       guitarist      optic          hideaway
|     prowler        Capricorn      bombast        fortitude
|
| This would be a really big problem for translators.
|
| David

yes, agreed, additional comms translation stages, expecially human
language trans, must be out then, cos itll imply errors and endanger the
system, too risky.

and since the most people due to my surveys got most problems using
cryptographic systems apps and only few problems communicating a little
set of english words correctly, a us-english default for this held out
of gnupgs localisation translations should be acceptable(?).

security: the process of this fingerprint translation should be done
only within gnupgs secure core, respectively, kgpg, etc, should only
display the result.

are there any security analysises done about that "biometric trans" so far?

law question: will i violate nai's and patents rights in implementing
this or other usuable "biometric form" in gnupg?

tom














-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iQCVAwUBQPgJMWqsze5HSzyoAQL2ZgP/eHORDR/ah3Asm1SCtiEM7FIdUeZfhqfb
1bmXtJGgzzr+mdt93dhlZcXQCo6wNfJqpHPCJjWapJNExBPIovWwnnSZIqA+5/Ks
6ttU6Y4lHbAIqpYvO6MPH5DdjCMQAhJ30LM5KELMaiwqcjM3UIY1cwp8K6EJnkm2
yk5S5uii2N8=
=F+fC
-----END PGP SIGNATURE-----