Thanks, Dominik, for the great ideas. Comments within... On Tue, Mar 7, 2017, at 11:30 AM, Dominik Schuermann wrote: > > > > > - Storing the key in a way that can't be exported from the device, even > > if rooted. I've been looking at the KeyChain API for this. Has anyone > > had experience storing app generated key data in this way? > > FYI: https://doridori.github.io/android-security-the-forgetful-keystore/ > > In OpenKeychain we haven't done this due to usability concerns: > https://github.com/open-keychain/open-keychain/issues/1642
It seems like based on the fact the user will always have the phone unlocked when we need to use the key, that we should be fine with using this service. https://github.com/guardianproject/proofmode/issues/16 > > - Notarizing the key on a special cloud service (or keybase.io perhaps) > > to ensure it came from the actual ProofMode app and not a random PGP > > command line... again, any thoughts on somehow tagging the origins of a > > key to a specific instance or hardware? > > OpenKeychain supports Linked Identities to link keys to Twitter/GitHub > etc. An alternative approach to keybase.io. We also wrote Linked > Identities down as Internet Drafts: > > http://tools.ietf.org/html/draft-vb-openpgp-linked-ids-01 > http://tools.ietf.org/html/draft-vb-openpgp-uri-attribute-01 Oh great! I had no idea you were working on this. It is very important. > > > > > - Not running proofmode when a USB device is connected, or when a device > > is rooted (We can detect both), or simply logging facts in the proof CSV > > file. > > There is also Google's SafetyNet API. I think its closed source and I > don't like their approach, but you could look into it: > https://koz.io/inside-safetynet/ Actually, as an optional "add-on", it seems quite nice. We can use the hash of the media file as the nonce, as well, I think. Some progress here: https://github.com/guardianproject/proofmode/issues/15 Thanks again! -- Nathan of Guardian [email protected] _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
