[liberationtech] pgp and e-mail resources?
Steve Weis
steveweis at gmail.com
Thu Oct 28 15:02:10 PDT 2010
The Google Authenticator mobile app uses QR codes to provision shared
one-time passcode keys. This is used for their two-factor
authentication. Besides scanning the code to install the key in my
app, it's also convenient to print out in case I lose my phone and
need to restore my keys. (I worked on this when I was at Google.)
Source code for Android and Blackberry is available and Iphone is
probably in the pipeline:
http://code.google.com/p/google-authenticator/
The OATH specification it's using is here:
http://www.openauthentication.org/specifications
It would be easy to modify this to scan public keys and support some
of the functionality you describe. I think there is a lot of potential
in using mobile devices for stronger authentication.
On Thu, Oct 28, 2010 at 12:09 PM, Seth David Schoen <schoen at eff.org> wrote:
>
> Some Debian people have been working on using QR codes with mobile
> phones to do key exchange. Especially if this gets integrated with
> desktop software, this is pretty awesome in terms of reducing the
> overhead of the key exchange process, which is one part of key
> management that has long antagonized prospective PGP users. Instead
> of reading the hex fingerprint, you would scan someone's business
> card with your cell phone. Your desktop software would ask you
> something like "Hey, this says it came from Phil Zimmermann; is
> that right?".
>
> QR codes could potentially go a long way toward convenient use of
> all kinds of public key applications in the future, including
> things like credentials to administer devices (scan a barcode with
> a phone camera to give your phone authority to perform a task!
> maybe scan two barcodes one after another to do something like
> Bluetooth pairing!).
>
> Of course, this doesn't make the more general overhead and risk
> of key management go away. Users still have to understand issues
> about the integrity and confidentiality _of the bar codes_ (for
> example, don't leave authorization bar codes lying around in
> public places; don't trust an e-mail public key barcode that
> someone sent you as an image in unauthenticated e-mail; ...).
> This is to say that users still have to understand the nature of
> the authority or capability that particular keys are affording
> them, and what their corresponding responsibilities are toward
> those keys are under their (or other people's) threat models.
>
> It's possible that these aspects of key management are ultimately
> a bigger problem than the reading, typing, and comparing hex
> strings part.
>
More information about the liberationtech
mailing list