Key exchange

Jun 6, 2014 at 9:26 PM
Edited Jun 6, 2014 at 10:03 PM
One topic in today's stand-up was the importance (and difficulty) of presenting key exchange in a way that makes sense to non-geeks. I referenced Groove as the only system I know that succeeded, and recalled one aspect of it: verification of a new contact's public key's thumbprint.

I made a Prior Art section on the wiki, included a link to a 2007 white paper on Groove security, and quoted some highlights.

As a result, I think I now recall better how intial contact exchange worked, and especially how it worked in the original Groove which was more purely P2P than in the later 2007 version documented in that white paper. Originally email was the main vector for invitations to shared spaces. When invitations came from new contacts, you'd land in the same sort of Add Contact UI that, in the 2007 white paper, was more typically preceded by directory lookup.

In both cases, there was then a recommended verification step. You were encouraged to connect with the new contact out-of-band, i.e. on a phone call, and ask the person to recite their public key's thumbprint which Groove was showing you (in the Add Contact UI).

I might have done this once because I was writing a book chapter on Groove security. But I never did it in my own use of Groove and strongly suspect that was true for nearly all civilian/non-geek users. If you found the person in a directory, you'd trust the directory. More importantly from a Thali perspective, if the contact arrived in email, you'd already made a trust decision before you read the email or opened the attachment. That decision was to collaborate with certain people, for a certain purpose, using Groove. So the invitation didn't come out of the blue. You were expecting it, or reasonably could be expecting it, because the interaction was part of a broader social context.

If I am recalling all this correctly, it makes me feel better about Thali's plan to use email as a vector for new contacts (as an alternative to QR codes traded face-to-face). That's what Groove did, and it worked intuitively for people.

Still, Thali isn't only for civilian/non-geek users. The mil/gov/geek crowd <s>will</s> may expect to verify identities and should be able to. QR code exchange face-to-face embodies that, which is sweet. For email exchange, though, should we make fingerprint verification an option the way Groove did?
Jun 6, 2014 at 9:49 PM
Jun 6, 2014 at 10:00 PM
As you say, not a priority. But it's good to have thought clearly about it, and wow, you really did. Thanks!