[Freedombox-discuss] Tap-to-share PGP key exchange
Timur Mehrvarz
timur.mehrvarz at googlemail.com
Fri Sep 30 15:02:23 UTC 2011
On 30.09.2011 16:29, Ted Smith wrote:
> So, it seems that your app uses Bluetooth to transfer key
> material, and then relies on users manually verifying
> fingerprints.
This is correct. Anymime does not transmit fingerprints but only the
full keys.
> Is it possible to use Intents from another app to transfer files
> over anymime? Or is it possible to do the same to allow monkeysign
> to verify fingerprints from anymime-ksp? I'm not an android expert,
> but that seems like the best way of going about doing this.
The anymime-ksp activities are already available to any app. It's only
a matter of requisting an intent with...
intent.setDataAndType(pgpFileUri,"application/pgp")
Your "Apply action..." popup will then contain both:
ShowPgpFingerprintActivity and UploadPgpFilesPopupActivity. Android is
genius in this regard. Good luck implementing this for iOS.
On 30.09.2011 16:43, Daniel Kahn Gillmor wrote:
> My main concern is that visually comparing two strings of 40
> hexadecimal digits is beyond the attention span of most humans i
> know. Even for the folks who can actually compare all the digits,
> once a handful of key exchanges have been done and have always
> "checked out" by visual comparison, the user will probably start to
> get sloppy.
>
> I don't mean this in a pejorative way; comparing long strings of
> arbitrary symbols is just not what the human mind is cut out for.
>
> So having a way for the exchange to be securely done *without*
> users needing to inspect fingerprints would be an excellent step
> forward in the experience of key exchange.
I fully agree with you say. Someone suggested to me in private to do
an alternative ShowPgpFingerprintActivity with color coding. This
would then be available as an additional entry in the "Apply
action..." popup menu. I just didn't want to start coding something
fancy without having a discussion upfront. Bingo, here we are.
So, how do we want to make comparing 48 hex digits easier for the user?
Timur
More information about the Freedombox-discuss
mailing list