[Cryptography] Thoughts about keys

[Jeremy Stanley]

On 2013-09-01 13:02:26 +1000 (+1000), James A. Donald wrote:
> On 2013-09-01 11:16 AM, Jeremy Stanley wrote:
> [...]
> > bring business cards (or even just slips of paper) with our name,
> > E-mail address and 160-bit key fingerprint.
> [...]
> 
> The average user is disturbed by the sight a 160 bit hash.
[...]

Perry was recounting a specific anecdote of meeting others at
conferences (well, in bars after hours at conferences) and needing
to exchange contact info spontaneously in person with an expectation
of being able to securely communicate later. His implication was
that this is an unsolved problem, and I was merely pointing out that
an already-existing culture of non-trivial size has been doing
precisely this on a regular basis for years. Perhaps the academic
conference and free software conference worlds are so far apart as
to make this a poor comparison after all, but it seemed a relevant
data point.

The "average" user is going to have bigger problems... glancing at a
sequence of 40 hex digits to compare them to the fingerprint GnuPG
gives them for your public key they just pulled from a keyserver is
merely the tip of a much bigger key vetting and signing iceberg, but
the in-person introduction piece is not that hard with a little bit
of preparation (I've gotten in the habit of carrying key fingerprint
cards in my wallet everywhere I go).
-- 
{ PGP( 48F9961143495829 ); FINGER( fungi at cthulhu.yuggoth.org );
WWW( http://fungi.yuggoth.org/ ); IRC( fungi at irc.yuggoth.org#ccl );
WHOIS( STANL3-ARIN ); MUD( kinrui at katarsis.mudpy.org:6669 ); }