Passphrase in addition to Fingerprint
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Jul 9 17:08:41 CEST 2013
On 07/08/2013 05:15 PM, Thorsten Sick wrote:
> Thanks for finding this idea. It is similar but not the same. The old
> idea you found is a cool trick for reading out loud the fingerprint.
>
> What I want is to create a short phrase that you can not get out of your
> mind. This is similar to the tricks these memory performers use to
> remember a phone book.
>
> This way I can verify the keys of my friends just be meeting them on the
> streets without business cards.
>
> Also good for phone verification.
>
> Disadvantage could be the small "key space". But even if it is worse
> than the fingerprint verification, it is lots better than nothing.
If you're talking about actually making a phrase that has significantly
less entropy and encouraging people to use that in place of a
fingerprint, i think that's a bad idea. It's bad enough that many
people seem to think that their 8-character "short keyid" (the last 4
octets of their fingerprint) is a strong identifier; it's not -- it
takes an hour or so on cheap consumer hardware to find a colliding short
keyid).
We shouldn't be introducing new weak identifiers to a system that
actually needs strong identifiers.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130709/57dbf7a9/attachment.sig>
More information about the Gnupg-devel
mailing list