On 02/24/16 00:22, Allen wrote: >> >> Secondly, with the requirement that nickname@xxxxxxxxxxxx to be unique, >> I could write that nickname on a business card and hand it out. People >> could verify at a verification service that there is only one >> certificate (and public key) for that name and be sure to have gotten >> *my* public key. From that point, they can send encrypted messages to me. >> > > That's not a service that I would use myself. If I wanted people to be > able to get my public key from a business card, I would print the key > itself on my card using a QR code. The other stuff you listed also don't > have much interest to me personally, but I can't speak for anyone else. Granted, it's secure to print a fingerprint on a business card but it's not so user friendly. And as studies[1] have shown, most 'normal' people won't be as judiciously with fingerprint validation as the security minded. And I believe both groups deserve the same strength in security. Would you use this service if all you'd have to do is type in the users' nickname@site and your computer would validate if there is only one certificate attached to that name. If so, you can be sure that only the intended recipient can decrypt it. If the computer would find multiple certificates - or none at all - it would give an error and doesn't allow communication because it couldn't determine the correct public key to use. Or what about being able to scribble a nickname@site address at the back of a beer coaster in a bar. My drive is to make key exchange happen as a natural part of normal interactions between people. Not as a separate step that could be neglected, forgotten or done wrong. Regards, Guido Witmond. 1a: Why Johnny can't encrypt. 1b: Engineering Security, by Peter Gutmann.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk