[Freedombox-discuss] Tap-to-share PGP key exchange

Ted Smith tedks at riseup.net
Fri Sep 30 13:50:28 UTC 2011

So, how can a user verify that the key material comes from the expected
peer? I know nothing of bluetooth and NFC, so instead of describing
low-level protocols (which in most cases are NOT implemented using free
software and CANNOT be naively trusted), please describe what I'd see
using your app.

On Fri, 2011-09-30 at 13:46 +0200, Timur Mehrvarz wrote:
> DKG, your impression that there is no security in place when using
> Bluetooth and NFC is not true. Anymime uses encrypted and
> authenticated communications only. And NFC does not just make the
> procedure much more usable, it also removes the weakest spot with
> "long range" Bluetooth: device discovery. What is needed now is that
> people play with it and try to break it. And more devices with NFC
> chips must become available.
> I will prepare another reply with more info, just need a bit more
> time. My impression is, that those who specify and implement the lower
> layers are honest about security. Also keep in mind that payment is
> one important use case here. Why not benefit from the effort?
> I'm following this list long enough to be aware of the QR discussion.
> I think both technologies need to be implemented for key exchange. If
> someone comes to you with QR code printed on a business card, your NFC
> chip won't help much.
> Thank you Stefano + Michael for your encouraging words.
> Timur
> On 29.09.2011 17:45, Daniel Kahn Gillmor wrote:
> > i'm concerned that bluetooth and NFC don't provide much protection
> >  against spoofing.  that is, can the operator of a device using 
> > these technologies verify that the communication comes from the 
> > expected peer? or is it possible for a nearby attacker with
> > control over the RF spectrum to inject messages into the
> > communication?
> > 
> > The advantage of the optical approach (QR codes and webcams) 
> > discussed some months ago on this list (see posts about 
> > "monkeysign" and "manus vexo") is that a (sighted) human user can 
> > observe the communication between devices directly and ensure that 
> > there is no tampering.
> > 
> > Is there some mechanism with bluetooth or NFC that offers 
> > equivalent protection from network interference?
> > 
> > --dkg
> > 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110930/3f1fded6/attachment.pgp>

More information about the Freedombox-discuss mailing list