[Freedombox-discuss] Tap-to-share PGP key exchange

dave dave at posteo.de
Fri Sep 30 14:07:00 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I provided this with my original post: http://timur.mobi/anymime-ksp/
Can you please phrase your concern relative to the fingerprint
verification example?

On 30.09.2011 15:50, Ted Smith wrote:
> So, how can a user verify that the key material comes from the
> expected peer? I know nothing of bluetooth and NFC, so instead of
> describing low-level protocols (which in most cases are NOT
> implemented using free software and CANNOT be naively trusted),
> please describe what I'd see using your app.
> 
> On Fri, 2011-09-30 at 13:46 +0200, Timur Mehrvarz wrote:
>> DKG, your impression that there is no security in place when
>> using Bluetooth and NFC is not true. Anymime uses encrypted and 
>> authenticated communications only. And NFC does not just make
>> the procedure much more usable, it also removes the weakest spot
>> with "long range" Bluetooth: device discovery. What is needed now
>> is that people play with it and try to break it. And more devices
>> with NFC chips must become available.
>> 
>> I will prepare another reply with more info, just need a bit
>> more time. My impression is, that those who specify and implement
>> the lower layers are honest about security. Also keep in mind
>> that payment is one important use case here. Why not benefit from
>> the effort?
>> 
>> I'm following this list long enough to be aware of the QR
>> discussion. I think both technologies need to be implemented for
>> key exchange. If someone comes to you with QR code printed on a
>> business card, your NFC chip won't help much.
>> 
>> Thank you Stefano + Michael for your encouraging words. Timur
>> 
>> On 29.09.2011 17:45, Daniel Kahn Gillmor wrote:
>>> i'm concerned that bluetooth and NFC don't provide much
>>> protection against spoofing.  that is, can the operator of a
>>> device using these technologies verify that the communication
>>> comes from the expected peer? or is it possible for a nearby
>>> attacker with control over the RF spectrum to inject messages
>>> into the communication?
>>> 
>>> The advantage of the optical approach (QR codes and webcams) 
>>> discussed some months ago on this list (see posts about 
>>> "monkeysign" and "manus vexo") is that a (sighted) human user
>>> can observe the communication between devices directly and
>>> ensure that there is no tampering.
>>> 
>>> Is there some mechanism with bluetooth or NFC that offers 
>>> equivalent protection from network interference?
>>> 
>>> --dkg
>>> 
> 
> 
> 
> _______________________________________________ Freedombox-discuss
> mailing list Freedombox-discuss at lists.alioth.debian.org 
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOhc0EAAoJEEZKfnE03M65fmUH/2y9PX6riATBRPF3GVNdASIV
i5y1U3UDyHfvnuM4A8uBEknEyaSC0a9OpMdfQ1UeBd9+SNgtnEuAxsAOFYYnT5OA
g+X7DvmIwkhNw5kUivNxKEWwyg6HPBrwme6KbwYfa8JdojodlB8sMnMqlOFW5bCG
pc9j2G60AI7jBvnY/grE3qUjT9fio6WBDgRhD/rx3GXSaUqbVgBUNEYRg1Xu2rqp
C3X/1EoS3Ug6eb7Xr7C5sug+jhCVDLuZr8AxjiWUcxvYFZdwJcsF8AyjxXFo/Ozn
ksZNDVUtmMaKB4pqR1SLcRIzjhdLUyBDwgLmlayTuX8xSbFw9+mrM1NL0NmjNGA=
=pxyN
-----END PGP SIGNATURE-----

More information about the Freedombox-discuss mailing list