From bd700e031342d08f5f7693d4d68649f279cbfbf0 Mon Sep 17 00:00:00 2001
From: Heiko Schaefer <heiko@schaefer.name>
Date: Mon, 4 Dec 2023 00:20:22 +0100
Subject: [PATCH] add link to schuermann-usenix2016.pdf

---
 book/source/04-certificates.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md
index 2e750d7..055547e 100644
--- a/book/source/04-certificates.md
+++ b/book/source/04-certificates.md
@@ -525,7 +525,9 @@ For example, in workflows to accept a certificate for a communication partner, o
 
 The OpenPGP version 6 standard uses 32 byte (256 bit) fingerprints, but explicitly defines no format for displaying those fingerprints in a human-readable form. The standard [recommends strongly against](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-fingerprint-usability) using version 6 fingerprints as identifiers in user-facing workflows.
 
-Instead, "mechanical fingerprint transfer and comparison" should be preferred, wherever possible. The reasoning is that humans tend to be bad at comparing high-entropy data (in addition, many users are probably put off by being asked to compare long hexadecimal strings).
+Instead, "mechanical fingerprint transfer and comparison" should be preferred, wherever possible. The reasoning is that humans tend to be bad at comparing high-entropy data[^schuermann] (in addition, many users are probably put off by being asked to compare long hexadecimal strings).
+
+[^schuermann]: See "An Empirical Study of Textual Key-Fingerprint Representations" <https://www.ibr.cs.tu-bs.de/papers/schuermann-usenix2016.pdf>
 
 #### Use of Fingerprints and Key IDs in APIs