Ok, I know very little about SIM cards. If they can't be cloned realistically, then that's fine as an authentication measure I suppose. It would also probably be wise to renegotiate the key at regular intervals, if someone is actually interested in security.
On Thu, Jul 18, 2013 at 1:26 PM, Rasmus Eneman <[email protected]> wrote: > >If you're going to handle key creation and exchange invisibly, what use > is GPG? > Because we would want that infrastructure for the email anyways. > > > >I'd rather handle email encryption on my own, because if my phone died, > I'd lose my private key and could no longer read my email (which I wouldn't > be able to read outside of my phone >anyway.) I think email is a use case > which needs more investigation. > Of course you should be able to do that to, but if you haven't added your > own key that should > be one there anyways. > Their should be an option to sync your private key with Ubuntu One (this > would also sync to Thunderbird on the desktop) > This is however trading security for connivance so it should be off by > default. > > >And if you do lose your phone, how do you renegotiate the key exchange > with your friends' phones? what if your phone is just an impersonator that > doesn't have the key and wants in anyways? > We trust the phone number as SIM cards isn't clone-able. If the key for > the same phone number changes and we still have that phone number in our > address book that new key is secure. > If not we should notice the user, explain why this could happen and ask > him or her if the new key is trusted. > > >The question becomes "do we trust Ubuntu One to keep our private key > secure?" > Not by default I would say no. But we should have that as an option to > automatically restore > your key when you change device and to sync it to your desktop. > > > 2013/7/18 Josh Leverette <[email protected]> > >> asymmetric encryption of some kind would probably be preferred. Possibly >> using quantum computer proof asymmetric encryption. (look at Wikipedia, I'm >> on my phone at the moment, or I would provide a link.) >> >> As far as email goes, that is notably more complex than SMS to handle. >> The question becomes "do we trust Ubuntu One to keep our private key >> secure?" if so, the solution is obvious, but if not, then we don't have an >> easy solution. And if you do lose your phone, how do you renegotiate the >> key exchange with your friends' phones? what if your phone is just an >> impersonator that doesn't have the key and wants in anyways? >> >> Sincerely, >> Josh >> On Jul 18, 2013 1:08 PM, "Nathan Haines" <[email protected]> wrote: >> >>> On 07/18/2013 11:04 AM, Rasmus Eneman wrote: >>> >>>> The implementation I suggest in two parts. >>>> >>>> Quick messaging (SMS like): >>>> Create an XMPP service bound to Ubuntu One account, all messages should >>>> be encrypted with GPG. >>>> Automatic key creation and exchange, totally invisible for the user, >>>> >>> >>> If you're going to handle key creation and exchange invisibly, what use >>> is GPG? Why not use SSL or OTR? I think IMs should be transparently >>> encrypted whenever possible. >>> >>> I'd rather handle email encryption on my own, because if my phone died, >>> I'd lose my private key and could no longer read my email (which I wouldn't >>> be able to read outside of my phone anyway.) I think email is a use case >>> which needs more investigation. >>> >>> Regards, >>> Nathan >>> >>> -- >>> Nathan Haines >>> Ubuntu - http://www.ubuntu.com/ >>> >>> -- >>> Mailing list: >>> https://launchpad.net/~ubuntu-**phone<https://launchpad.net/~ubuntu-phone> >>> Post to : >>> [email protected].**net<[email protected]> >>> Unsubscribe : >>> https://launchpad.net/~ubuntu-**phone<https://launchpad.net/~ubuntu-phone> >>> More help : >>> https://help.launchpad.net/**ListHelp<https://help.launchpad.net/ListHelp> >>> >> >> -- >> Mailing list: https://launchpad.net/~ubuntu-phone >> Post to : [email protected] >> Unsubscribe : https://launchpad.net/~ubuntu-phone >> More help : https://help.launchpad.net/ListHelp >> >> > > > -- > Rasmus Eneman > -- Sincerely, Josh
-- Mailing list: https://launchpad.net/~ubuntu-phone Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-phone More help : https://help.launchpad.net/ListHelp
