[Freedombox-discuss] Tap-to-share PGP key exchange

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Sep 29 15:45:06 UTC 2011

On 09/29/2011 10:38 AM, Timur Mehrvarz wrote:

> I just released v1.0 of Anymime for Android. This app provides ad-hoc
> 2-way file transfer over Bluetooth. If NFC is supported, connectivity
> can be established by tapping two devices, which practically allows
> hands off operation.


> Anymime comes with two PGP specific extensions: a fingerprint comparison
> app and a mechanism to scp-upload key files from your smartphone to your
> "home server", allowing other parties to gain immediate access to your
> services. I hope this could be usefull to Freedombox users.

i'm concerned that bluetooth and NFC don't provide much protection
against spoofing.  that is, can the operator of a device using these
technologies verify that the communication comes from the expected peer?
 or is it possible for a nearby attacker with control over the RF
spectrum to inject messages into the communication?

The advantage of the optical approach (QR codes and webcams) discussed
some months ago on this list (see posts about "monkeysign" and "manus
vexo") is that a (sighted) human user can observe the communication
between devices directly and ensure that there is no tampering.

Is there some mechanism with bluetooth or NFC that offers equivalent
protection from network interference?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110929/779dab8e/attachment.pgp>

More information about the Freedombox-discuss mailing list