Casual crypto

(inspired by the big thread about XMPP end-to-end security over at security@xmpp.org)

Authentication sucks. Without it, crypto is automatic and decentralized, but insecure; doing it introduces a dependency on human intervention or a trusted third party.

I don't like trusting "authoritative" third parties, so I'm most interested in making the human intervention required as simple as possible.

Aiming for an authentication system that Aunt Tillie will use is unrealistic; there's no reason for her to care.

But we should aim higher than Uncle Peter, who always checks SSH fingerprints and is willing to do whatever he needs to when privacy is important.

A better target is Cousin Dave, who works in IT or took a CompSci course at business school. He doesn't know the difference between Diffie-Hellman and Blum Blum Shub, but he's aware of crypto, he's competent, and he's willing to expend minimal_amount_of_effort for privacy.

This is not to say that Uncle Peter's use cases should be neglected, just that a system doesn't need to be 100% usable by everybody to be better than what we've got.

Support for short authentication strings lowers the barrier to entry nicely, without making any significant compromises.