Security Of Identicons

In PubHubs hubs, users are identified by a (shortened) hash, like a3g-a48, to, in principle, prevent impersonation. “In principle”, because it’s unlikely that you’d remember another user’s hash, let alone notice when it’s changed. That’s why we’re considering using an ‘identicon’ like the one used by GitHub (and others), but we see two problems:

1. How to prevent users from being assigned an identicon they consider offensive? (For example, one having the colors of an opposing soccer team.)
2. Is it feasible for an attacker obtain an identicon that’s close enough to another person’s identicon, by registering a whole bunch of user accounts.

If you are interested in this topic, please send an email to Bram Westerbaan via awesterb@cs.ru.nl .