[guardian-dev] A critique of ProofMode
dominik at dominikschuermann.de
Tue Mar 7 11:30:12 EST 2017
> - Storing the key in a way that can't be exported from the device, even
> if rooted. I've been looking at the KeyChain API for this. Has anyone
> had experience storing app generated key data in this way?
In OpenKeychain we haven't done this due to usability concerns:
> - Notarizing the key on a special cloud service (or keybase.io perhaps)
> to ensure it came from the actual ProofMode app and not a random PGP
> command line... again, any thoughts on somehow tagging the origins of a
> key to a specific instance or hardware?
OpenKeychain supports Linked Identities to link keys to Twitter/GitHub
etc. An alternative approach to keybase.io. We also wrote Linked
Identities down as Internet Drafts:
> - Not running proofmode when a USB device is connected, or when a device
> is rooted (We can detect both), or simply logging facts in the proof CSV
There is also Google's SafetyNet API. I think its closed source and I
don't like their approach, but you could look into it:
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: OpenPGP digital signature
More information about the guardian-dev