Re: SSH revised

[Lluis]

El Tue, Mar 28, 2006 at 10:58:32PM +0200, Marcus Brinkmann ens deleità amb les 
següents paraules:
> Yeah, well.  We need a user interface expert here.  If we are serious 
> about this, I would try to contact somebody like Ka-Ping Yee 
> (http://www.sims.berkeley.edu/~ping/sid/).
> 
> Two confirmations make sense, but I was also considering an 
> "optimization": The "fingerprint picture" could be displayed as soon 
> as the user name is entered.  Then both could be confirmed at the same 
> time.
> 
> I have a cuter name for the "fingerprint picture" already: The user's 
> mascot.  The pictures must be so cute that the user will log in just 
> to see the mascot :)
> 
> In principle, the mascot could be chosen by the user, as long as every 
> user has a distinguishable one.  That is a challenge for the 
> administrator, though, of course.  So, it would be an interesting 
> research field to automatically determine "distinguishability", or to 
> automatically generate many distinguishable mascots algorithmically. 
> Of course, there are many other possible policies to choose the 
> mascot, for example by using photos taken from the user (like on photo 
> id cards), or words from a lexicon, typeset in different fonts, colors 
> and sizes, ...
> 
> Of course, the whole issue is highly user-interface specific: For 
> accessibility reasons, you also need other solutions.  Audio files? 
> Quotes from the literature?  User data like residence address?  Lots 
> of possibilities here.

But this all makes necessary to have part of the windowing system and the 
console (for those geeks who like to hack on a text only environment...  
you know who you are...) on the TCB (as it's the case of EROS, if I 
remember well). Yes, you already talked about this.  Yes, by pressing the 
sysreq key you can make sure the "fingerprint" is not forged. No, you can't 
make sure you're talking to the correct party when networked... (you must 
take some assumptions)

Hum... isn't all this overly complicated? I should have no doubts about 
wether I'm talking to the real login manager or not... and in fact, if I 
must be sincere (that I musn't, but I want to :)), this doesn't worry me on 
my day-to-day work (like the inmense majority of home computer users, I'm 
the administrator of it too... ough, did I say that this arises a problem 
of self-confidence?), as I don't have any special feature to check wether 
i'm using the trusted login... it's just that I trust on my debian to keep 
up on the hard work :)

Anyway, if this is really a feature to be on the system (as it seems to be 
on a system with this sort of demonstrable properties between its 
components), as this is a mechanism for everyone, it should be absolutely 
usable, meaning that the information that it provides should flow as 
fluently and clearly as possible.

So... well, I think there's a need for a user interface expert here, unless 
you think the proposed mechanisms so far are good enough. I'm *not sure* of 
that (really, I don't think they're bad).

Regards,
  Lluis

-- 
 "And it's much the same thing with knowledge, for whenever you learn
 something new, the whole world becomes that much richer."
 -- The Princess of Pure Reason, as told by Norton Juster in The Phantom
 Tollbooth
 
 Listening: Opeth - 03 - Harvest