Closed
Description
When being asked to verify a device, the instructions say:
To verify that this device can be trusted, please contact its owner using some other means (e.g. in person or a phone call) and ask them whether the key they see in their User Settings for this device matches the key below: […]
IMHO, this is wrong. The owner should read out the fingerprint, and it should be up to the local user to verify the match. Otherwise, a malicious actor could simply ack the fingerprint as read out by the owner, and get them to trust a malicious device that somehow managed to fake the fingerprint.
I am not sure this is really an attack vector, but it seems wrong to ask someone else to make comparison calls that are critical to one's own trust definitions.