From acd9a5d32f22afc10a807ffdc4da5ccb6ce87fcf Mon Sep 17 00:00:00 2001
From: Hubert Chathi <hubert@uhoreg.ca>
Date: Mon, 20 Aug 2018 19:35:27 -0400
Subject: [PATCH] add note about Bob mashing the "Verify" button prematurely

---
 proposals/1543-qr_code_key_verification.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/proposals/1543-qr_code_key_verification.md b/proposals/1543-qr_code_key_verification.md
index 0256cafbb..8388d27f7 100644
--- a/proposals/1543-qr_code_key_verification.md
+++ b/proposals/1543-qr_code_key_verification.md
@@ -83,6 +83,21 @@ Step 4 is to ensure that Bob does not present a QR code claiming to be Carol's
 key.  Without this check, Bob will be able to trick Alice into verifying a key
 under his control, and evesdropping on Alice's communications with Carol.
 
+The security of verifying Alice's key depends on Bob not hitting the "Verified"
+button until after Alice's device indicates success.  However, users have a
+tendency to click on buttons without reading what the screen says.  This might
+be addressed by:
+
+- allowing Bob to easily undo the verification if Alice's device subsequently
+  gives an error
+- posing Bob a dummy question that he cannot answer until after Alice's device
+  displays the check results.  For example: "Does Alice's device show a cat or
+  a dog?"  Alice's device will show one or the other after it has checked the
+  key received from Bob, forcing Bob to wait for the check to complete.
+  (Whether a cat or a dog is displayed could be keyed to, for example, a bit in
+  the transaction ID.)
+- (possibly other ways)
+
 Other Issues
 ------------