[guardian-dev] Gibberbot keystore format
Miron
c1.android at niftybox.net
Mon Aug 13 12:55:26 EDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 13/08/12 09:26, Hans-Christoph Steiner wrote:
>
> All of the OTR file formats that I have ever seen store the
> private keys in the clear. But one key per contact is problematic.
> The
I think it would be strange to implement SQLCipher and then store the
private key in the clear.
> migration will be quite a bit of work, so I think we should take
> our time to get it right. I've been thinking that a better format
> would be to store the private keys as subkeys of your GPG key. If
> the user doesn't have one, we can generate it.
That's an interesting approach. I wonder though if that should be a
export/import feature rather than something that is used for
day-to-day operation. The keys (public and private) should continue
to be in app-private storage for normal use so that they are
unreadable by other apps. Normal users would not directly access this
storage since it requires adb/root. There should be an export-keys
functionality. Perhaps that export should either feed into APG (for
run-of-the-mill encryption or perhaps private-key import of
key/subkey) or create the GPG key/subkey directly.
> If we base this off of gpg, it will give us lots of very nice
> features for free. This is the goal of the next round of PSST,
> which is slated to start in October. Maybe its worthwhile to hack
> around the current format in the meantime?
So I think there are two separate questions: how to store it
internally for day-to-day operational use and how to export/import it
for interoperability and PSST glory. Right now I'm interested in
solving the former in a secure way, since SQLCipher is slated for this
release (v10).
> .hc
>
> On Aug 13, 2012, at 12:17 PM, Miron wrote:
>
> A couple of issues with the current implementation:
>
> * Only one key stored per contact. That means that if a contact
> has multiple presences, they will overwrite each-other. * Private
> key stored in same file, in the clear.
>
> BTW, yaxim doesn't have OTR AFAIK.
>
- --
Miron
http://hyper.to/blog/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIVAwUBUCkxfpifazBIoRa1AQLD7g/+PA8ooXiYPvSmAHe4+3AD5gGqwKxo/x/I
3JorNxUrOlYgbK33YWOqjGMvIs6IqfaDIZHBFNFXExskzCyldQcswRGfWhRnE252
KPVd2isjp2N2e/S1v19hS7prf5TNPA+wrbg2fI8eJHUj5awywEdJ3JlkYsSPwEEz
gMp0dsbpHi3IM0D6w8UHfkTsvlwB364gIdoBBEghai2VMmmMFsv42zqwhZCN4Q14
Dv8JqnaQIpgjgjZWReSZvTQ+zx4caea0cLPyJ9UmwIkrl/GrTgFMqgJ5+qv8ShlL
WzlHVpunBL4Kp5Td1MuzbZ2wtKd1yLdco6vMmnKj81PAb1EY9ectVNeGi80nkfig
2Ad/RrAZAWdEtsgczpY+YuCYvkSyLel1b7s+bFaLip76i7K5fIk/qZpEBZ+YjJ3D
TtFdeOtewd2k3DOVrlvZSgY+peGtNqdzdUYawvDMEhhjvzOoP8n9vLNOnXy8YNfh
Q9Mf4zy7q9AqQlsX3jrD+54DHK1+B0nJr/15gqAUyOlGBRWIlY3kG2ji0BnDSuuN
gPu3iw0j9GPpRoypeQxqd72OTxafOcMft//hPiW1QYFoe3FEbKa7sBDvqPqV1dV9
cKBd3dKExO7xDVaiCAS5qFULkD8PTTJg82dbcivcMqGmC5PmUYV3RN/HmIxgEZmg
A1SgrhCp6TU=
=QD/J
-----END PGP SIGNATURE-----
More information about the Guardian-dev
mailing list