[guardian-dev] Gibberbot keystore format

Miron c1.android at niftybox.net
Mon Aug 13 12:55:26 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 13/08/12 09:26, Hans-Christoph Steiner wrote:
> 
> All of the OTR file formats that I have ever seen store the
> private keys in the clear.  But one key per contact is problematic.
> The

I think it would be strange to implement SQLCipher and then store the
private key in the clear.

> migration will be quite a bit of work, so I think we should take
> our time to get it right.  I've been thinking that a better format
> would be to store the private keys as subkeys of your GPG key.  If
> the user doesn't have one, we can generate it.

That's an interesting approach.  I wonder though if that should be a
export/import feature rather than something that is used for
day-to-day operation.  The keys (public and private) should continue
to be in app-private storage for normal use so that they are
unreadable by other apps.  Normal users would not directly access this
storage since it requires adb/root.  There should be an export-keys
functionality.  Perhaps that export should either feed into APG (for
run-of-the-mill encryption or perhaps private-key import of
key/subkey) or create the GPG key/subkey directly.


> If we base this off of gpg, it will give us lots of very nice 
> features for free.  This is the goal of the next round of PSST,
> which is slated to start in October.  Maybe its worthwhile to hack
> around the current format in the meantime?

So I think there are two separate questions: how to store it
internally for day-to-day operational use and how to export/import it
for interoperability and PSST glory.  Right now I'm interested in
solving the former in a secure way, since SQLCipher is slated for this
release (v10).

> .hc
> 
> On Aug 13, 2012, at 12:17 PM, Miron wrote:
> 
> A couple of issues with the current implementation:
> 
> * Only one key stored per contact.  That means that if a contact
> has multiple presences, they will overwrite each-other. * Private
> key stored in same file, in the clear.
> 
> BTW, yaxim doesn't have OTR AFAIK.
> 

- -- 
Miron
http://hyper.to/blog/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIVAwUBUCkxfpifazBIoRa1AQLD7g/+PA8ooXiYPvSmAHe4+3AD5gGqwKxo/x/I
3JorNxUrOlYgbK33YWOqjGMvIs6IqfaDIZHBFNFXExskzCyldQcswRGfWhRnE252
KPVd2isjp2N2e/S1v19hS7prf5TNPA+wrbg2fI8eJHUj5awywEdJ3JlkYsSPwEEz
gMp0dsbpHi3IM0D6w8UHfkTsvlwB364gIdoBBEghai2VMmmMFsv42zqwhZCN4Q14
Dv8JqnaQIpgjgjZWReSZvTQ+zx4caea0cLPyJ9UmwIkrl/GrTgFMqgJ5+qv8ShlL
WzlHVpunBL4Kp5Td1MuzbZ2wtKd1yLdco6vMmnKj81PAb1EY9ectVNeGi80nkfig
2Ad/RrAZAWdEtsgczpY+YuCYvkSyLel1b7s+bFaLip76i7K5fIk/qZpEBZ+YjJ3D
TtFdeOtewd2k3DOVrlvZSgY+peGtNqdzdUYawvDMEhhjvzOoP8n9vLNOnXy8YNfh
Q9Mf4zy7q9AqQlsX3jrD+54DHK1+B0nJr/15gqAUyOlGBRWIlY3kG2ji0BnDSuuN
gPu3iw0j9GPpRoypeQxqd72OTxafOcMft//hPiW1QYFoe3FEbKa7sBDvqPqV1dV9
cKBd3dKExO7xDVaiCAS5qFULkD8PTTJg82dbcivcMqGmC5PmUYV3RN/HmIxgEZmg
A1SgrhCp6TU=
=QD/J
-----END PGP SIGNATURE-----


More information about the Guardian-dev mailing list