Passphrase in addition to Fingerprint

Daniel Kahn Gillmor dkg at
Tue Jul 9 17:08:41 CEST 2013

On 07/08/2013 05:15 PM, Thorsten Sick wrote:
> Thanks for finding this idea. It is similar but not the same. The old
> idea you found is a cool trick for reading out loud the fingerprint.
> What I want is to create a short phrase that you can not get out of your
> mind. This is similar to the tricks these memory performers use to
> remember a phone book.
> This way I can verify the keys of my friends just be meeting them on the
> streets without business cards.
> Also good for phone verification.
> Disadvantage could be the small "key space". But even if it is worse
> than the fingerprint verification, it is lots better than nothing.

If you're talking about actually making a phrase that has significantly
less entropy and encouraging people to use that in place of a
fingerprint, i think that's a bad idea.  It's bad enough that many
people seem to think that their 8-character "short keyid" (the last 4
octets of their fingerprint) is a strong identifier; it's not -- it
takes an hour or so on cheap consumer hardware to find a colliding short

We shouldn't be introducing new weak identifiers to a system that
actually needs strong identifiers.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130709/57dbf7a9/attachment.sig>

More information about the Gnupg-devel mailing list