Encryption and Identity Verification
From Guardian Project Wiki
(Difference between revisions)
(→PGP data and meta data) |
(→PGP data and meta data: adding PGP key info to a vCard page) |
||
| Line 137: | Line 137: | ||
* [http://pgp.cs.uu.nl/ PGP pathfinder & key statistics] | * [http://pgp.cs.uu.nl/ PGP pathfinder & key statistics] | ||
* [http://www.gnupg.org/documentation/manuals/gpgme/Key-Management.html#Key-Management meta data in GPG] | * [http://www.gnupg.org/documentation/manuals/gpgme/Key-Management.html#Key-Management meta data in GPG] | ||
| - | * adding PGP key info to a vCard | + | * [adding PGP key info to a vCard] |
=== Anonymous Web of Trust === | === Anonymous Web of Trust === | ||
Revision as of 20:44, 18 July 2012
Using QR Codes and camera QR code readers, the mobile phone can be the easiest tool for managing PGP signatures for building a web of trust.
Contents |
PGP implementations
gnupg-for-java
- JNI wrapper for gpgme
- gnupg-for-java
STEED
- http://g10code.com/steed.html
- initiative to make OpenPGP more accessible to novices
APG
- limitations:
- no method for uploading personal public key
- no method for signing other people's keys
- no method to view signatures on a key
- no PGP/MIME support
Didisoft OpenPGP Library for Java
- http://www.didisoft.com/java-openpgp/
- proprietary
- seems to lack:
- methods to talk with keyservers
- methods for managing key certification signatures
PGP Featureset Assessment
| Feature Description | OpenPGP | APG | Usage Frequency | Strategic Value |
|---|---|---|---|---|
| Key Generation* |  |  | Low | High |
| Encrypting / Signing | | | | |
| Standalone files | | | Low | Low |
| Email body | | | High | High |
| Email attachments | |  | High | High |
| Keyserver Integration | | | | |
| Upload public key | | | Low | High |
| Search / download public key | | | Medium | High |
| Upload/download signature certifications | | | Medium | Med |
| Key revocation | | | Low | High |
| Key Management | | | | |
| View / delete third party keys | | | High | High |
| Import / Export sub-keys | | | Low | High |
| Trust Management | | | | |
| Key signature viewing | | | Med | Med |
| Visible chain of trust | | | High | High |
/*APG describes key generation feature as "still kind of beta"
PGP data and meta data
- PGP pathfinder & key statistics
- meta data in GPG
- [adding PGP key info to a vCard]
Anonymous Web of Trust
While the PGP public infrastructure is very useful and easy to use, it also provides complete social graphs to the public. For many people, this will put them at high risk, so we should use techniques for an anonymous web of trust. Or at least not making the social graph available to people outside of that social graph.
- Anonymous Web of Trust prototype lib
- mode for exclusive, p2p syncing of signatures, no uploads to PGP servers
- gnupg lsign "sign a key locally"
- A conversation with dkg on p2p PGP sig swaps
- caff emails the sigs instead of posting them to the keyserver
- allows keyholder to decide how the sig is distributed
- Evolution supports directly importing the sigs from the emails
- computer needs working SMTP server
- Anymime Key Signing Party Android Key Signing GUI which posts sigs via scp
- avoiding tracking connections to PGP servers
- HTTPS to prevent snooping of data
- Tor to prevent tracking of notable IPs
CAcert Certificate Authority Infrastructure
- http://cacert.org
- Firefox can update CAcert's revoke list once a day
- Firefox can enforce OCSP cert revokations
- can we specify one trustworthy OCSP server for all CAs?
PGP master key with sub keys for daily use
- http://www.macfreek.nl/mindmaster/Convert_GPG_keys_to_subkeys
- Using multiple subkeys in GPG
- GPG subkey tutorials
- Convert GPG keys to subkeys
- Convert keys between GnuPG, OpenSsh and OpenSSL
OTR syncing
Handling Verification Signatures
- ssh randomart for fingerprints for making it easier to recognize fingerprints
- make easy UI for sending signatures via email ala caff instead of directly to the keyserver like Seahorse
Converting OTR formats
- Nettle - a low-level cryptographic library
- Understanding DSA keys
- keyCzar Python/Java/C++ framework for crypto
