-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I provided this with my original post: http://timur.mobi/anymime-ksp/ Can you please phrase your concern relative to the fingerprint verification example?
On 30.09.2011 15:50, Ted Smith wrote: > So, how can a user verify that the key material comes from the > expected peer? I know nothing of bluetooth and NFC, so instead of > describing low-level protocols (which in most cases are NOT > implemented using free software and CANNOT be naively trusted), > please describe what I'd see using your app. > > On Fri, 2011-09-30 at 13:46 +0200, Timur Mehrvarz wrote: >> DKG, your impression that there is no security in place when >> using Bluetooth and NFC is not true. Anymime uses encrypted and >> authenticated communications only. And NFC does not just make >> the procedure much more usable, it also removes the weakest spot >> with "long range" Bluetooth: device discovery. What is needed now >> is that people play with it and try to break it. And more devices >> with NFC chips must become available. >> >> I will prepare another reply with more info, just need a bit >> more time. My impression is, that those who specify and implement >> the lower layers are honest about security. Also keep in mind >> that payment is one important use case here. Why not benefit from >> the effort? >> >> I'm following this list long enough to be aware of the QR >> discussion. I think both technologies need to be implemented for >> key exchange. If someone comes to you with QR code printed on a >> business card, your NFC chip won't help much. >> >> Thank you Stefano + Michael for your encouraging words. Timur >> >> On 29.09.2011 17:45, Daniel Kahn Gillmor wrote: >>> i'm concerned that bluetooth and NFC don't provide much >>> protection against spoofing. that is, can the operator of a >>> device using these technologies verify that the communication >>> comes from the expected peer? or is it possible for a nearby >>> attacker with control over the RF spectrum to inject messages >>> into the communication? >>> >>> The advantage of the optical approach (QR codes and webcams) >>> discussed some months ago on this list (see posts about >>> "monkeysign" and "manus vexo") is that a (sighted) human user >>> can observe the communication between devices directly and >>> ensure that there is no tampering. >>> >>> Is there some mechanism with bluetooth or NFC that offers >>> equivalent protection from network interference? >>> >>> --dkg >>> > > > > _______________________________________________ Freedombox-discuss > mailing list [email protected] > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOhc0EAAoJEEZKfnE03M65fmUH/2y9PX6riATBRPF3GVNdASIV i5y1U3UDyHfvnuM4A8uBEknEyaSC0a9OpMdfQ1UeBd9+SNgtnEuAxsAOFYYnT5OA g+X7DvmIwkhNw5kUivNxKEWwyg6HPBrwme6KbwYfa8JdojodlB8sMnMqlOFW5bCG pc9j2G60AI7jBvnY/grE3qUjT9fio6WBDgRhD/rx3GXSaUqbVgBUNEYRg1Xu2rqp C3X/1EoS3Ug6eb7Xr7C5sug+jhCVDLuZr8AxjiWUcxvYFZdwJcsF8AyjxXFo/Ozn ksZNDVUtmMaKB4pqR1SLcRIzjhdLUyBDwgLmlayTuX8xSbFw9+mrM1NL0NmjNGA= =pxyN -----END PGP SIGNATURE----- _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
