[FEATURE REQ, RFC], improving ergonomic HMI fingerprint cross verification

David Shaw dshaw at jabberwocky.com
Fri Jul 16 21:35:50 CEST 2004


On Fri, Jul 16, 2004 at 06:58:28PM +0200, Thomas Schorpp wrote:

> and since the most people due to my surveys got most problems using
> cryptographic systems apps and only few problems communicating a
> little set of english words correctly, a us-english default for this
> held out of gnupgs localisation translations should be
> acceptable(?).

I don't think this would work.  The whole point of using a word list
instead of hex letters is to make things easier and more secure.  A
non-English speaker is going to have some serious problems reading a
word list like that.  I'd argue that this is actually harder and less
secure than just reading the hex fingerprint.

Even people who don't speak a word of English can read hex.

> law question: will i violate nai's and patents rights in
> implementing this or other usuable "biometric form" in gnupg?

Maybe.  I expect that the word list was purchased by the pgp.com folks
when the bought the rights to PGP a few years back.  I do not know if
they have any restrictions on the list (trademark or copyright, since
I doubt a list of words is patentable, though the technique of word
lookup might be, despite the s/key prior art).

David



More information about the Gnupg-devel mailing list