[OTR-users] Work In Progress analogy for OTR - feedback please

Sat Oct 25 07:35:41 EDT 2014

On 25/10/14 12:10, Ian Goldberg wrote:
> On Sat, Oct 25, 2014 at 10:57:54AM +0100, Bernard Tyers wrote:
>> Hi,
>>
>> I am working on an idea for a cryptoparty for non-technical people, called ”Humane Cryptoparty”.
>>
>> This idea has come out of my HCI dissertation last year on non-technical user mental models and OTR. 
>>
>> One finding was users had good theoritical mental models of OTR, but bad functional, or vice-versa. This lead them to make mistakes. 
>>
>> The objective of the human cryptoparty is to see the affect understanding the concepts of OTR has on user behaviour and their usage of OTR.
>>
>> In short, the idea I have is to explain various important concepts with non-technical analogies. This is not easy to do correctly, I know. 
>>
>> I have be working on some analogies for OTR. I’d like to get your advice on how valid this is.
>>
>> The objective is not to be as non-technical as possible, while explaining the concepts involved.
>>
>> The analogy uses: 
>>
>> - envelopes (encryption)
>> - unique adhesives (public keys)
>> - unique ”glitter” patterns (perfect forward secrecy) 
>> - solvents (private keys)
> 
> That all seems awfully complicated.  You seem to be wanting to emulate
> the *mechanisms* rather than explaining the *outcomes*.  Is that
> important?  Does your audience really need to understand the effect of
> private keys, etc.?
> 

I think these sorts of explanations based on real-world analogies, when done correctly, can help unclear the mystique around cryptography. A lot of people automatically switch off because the low level building blocks involve maths, but the higher-level constructions can often be quite intuitive.

Of course this is too much detail to expect every user to know, but it's good to have it on hand, for explaining things to curious users that are not mathematically-trained. If a user is interested enough to spend several hours at a cryptoparty, I'd think this could make for a good "second/later course" after learning the basics of "how to use the software".

Also, I think some of the outcomes are indeed quite complex, that even if you did word them in one single sentence, this would be quite confusing to someone without the suitable background knowledge to understand this phrases used in that sentence. For example, even this from the OTR home page:

"If you lose control of your private keys, no previous conversation is compromised."

Someone with no understanding of what "private keys" or "compromise" means, might not even realise that other systems don't have PFS. For example, if you send a message in a locked box, then someone steals your key, does that mean the message was compromised? To properly explain this to someone *without background* would take more sentences. (Many people don't even realise that other systems don't have end-to-end security!)

X

-- 
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20141025/2d2ba449/attachment.pgp>