ubuntu-phone team mailing list archive

[Rasmus Eneman <Rasmus@xxxxxxxxx>]

>If you're going to handle key creation and exchange invisibly, what use is
GPG?
Because we would want that infrastructure for the email anyways.

>I'd rather handle email encryption on my own, because if my phone died,
I'd lose my private key and could no longer read my email (which I wouldn't
be able to read outside of my phone >anyway.)  I think email is a use case
which needs more investigation.
Of course you should be able to do that to, but if you haven't added your
own key that should
be one there anyways.
Their should be an option to sync your private key with Ubuntu One (this
would also sync to Thunderbird on the desktop)
This is however trading security for connivance so it should be off by
default.

>And if you do lose your phone, how do you renegotiate the key exchange
with your friends' phones? what if your phone is just an impersonator that
doesn't have the key and wants in anyways?
We trust the phone number as SIM cards isn't clone-able. If the key for the
same phone number changes and we still have that phone number in our
address book that new key is secure.
If not we should notice the user, explain why this could happen and ask him
or her if the new key is trusted.

>The question becomes "do we trust Ubuntu One to keep our private key
secure?"
Not by default I would say no. But we should have that as an option to
automatically restore
your key when you change device and to sync it to your desktop.


2013/7/18 Josh Leverette <coder543@xxxxxxxxx>

> asymmetric encryption of some kind would probably be preferred. Possibly
> using quantum computer proof asymmetric encryption. (look at Wikipedia, I'm
> on my phone at the moment, or I would provide a link.)
>
> As far as email goes, that is notably more complex than SMS to handle. The
> question becomes "do we trust Ubuntu One to keep our private key secure?"
> if so, the solution is obvious, but if not, then we don't have an easy
> solution. And if you do lose your phone, how do you renegotiate the key
> exchange with your friends' phones? what if your phone is just an
> impersonator that doesn't have the key and wants in anyways?
>
> Sincerely,
> Josh
> On Jul 18, 2013 1:08 PM, "Nathan Haines" <nhaines@xxxxxxxxxx> wrote:
>
>> On 07/18/2013 11:04 AM, Rasmus Eneman wrote:
>>
>>> The implementation I suggest in two parts.
>>>
>>> Quick messaging (SMS like):
>>> Create an XMPP service bound to Ubuntu One account, all messages should
>>> be encrypted with GPG.
>>> Automatic key creation and exchange, totally invisible for the user,
>>>
>>
>> If you're going to handle key creation and exchange invisibly, what use
>> is GPG?  Why not use SSL or OTR?  I think IMs should be transparently
>> encrypted whenever possible.
>>
>> I'd rather handle email encryption on my own, because if my phone died,
>> I'd lose my private key and could no longer read my email (which I wouldn't
>> be able to read outside of my phone anyway.)  I think email is a use case
>> which needs more investigation.
>>
>> Regards,
>> Nathan
>>
>> --
>> Nathan Haines
>> Ubuntu - http://www.ubuntu.com/
>>
>> --
>> Mailing list: https://launchpad.net/~ubuntu-**phone<https://launchpad.net/~ubuntu-phone>
>> Post to     : ubuntu-phone@lists.launchpad.**net<ubuntu-phone@xxxxxxxxxxxxxxxxxxx>
>> Unsubscribe : https://launchpad.net/~ubuntu-**phone<https://launchpad.net/~ubuntu-phone>
>> More help   : https://help.launchpad.net/**ListHelp<https://help.launchpad.net/ListHelp>
>>
>
> --
> Mailing list: https://launchpad.net/~ubuntu-phone
> Post to     : ubuntu-phone@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~ubuntu-phone
> More help   : https://help.launchpad.net/ListHelp
>
>


-- 
Rasmus Eneman