On Sun, Mar 1, 2015 at 10:21 AM, Nadim Kobeissi <[email protected]> wrote: > On Sun, Mar 1, 2015 at 5:50 PM, Trevor Perrin <[email protected]> wrote: >> >> So my claims are: >> a) If you want passphrase-based mobility between devices, in a >> protocol where the user has a home server, just storing the >> passphrase-encrypted private key on the home server is the best >> approach. > > Yup, I've already said this isn't a bad idea, and I think by this point it > seems to be the most reasonable way to move forward.
I'm not recommending this - just saying it's the best version of this idea, so should be the basis for discussion. If you want to do this, my advice is the same as Joe's: use machine-generated phrases with high entropy, not user-chosen. I don't know if that has the useability you want, but it would be secure. >> b) It's unclear in what use cases this is a good idea [...] > > This becomes a substantially more subjective discussion on > user-friendliness, subjective to the degree where I'm not sure it can lead > to a fruitful discussion here. Well, the first step is to determine what use cases this is addressing and what the alternatives are. If I want to provision a new device and have an old device at hand, there are good ways to copy a private key from old to new. For example, use QR codes or short-auth strings [1,2] to create a secure channel over which to send the key. I think scanning a QR code or verifying that two devices are displaying the same short string has good useability - probably better than a long passphrase. So that leaves cases where I want to use a new device *without* an old device present. For example: (a) recovering from a lost device (b) using internet cafes if you don't own a device (or flash drive) (c) using a friend's computer if you're away from your device For (a), users could be given the option of a recovery key, which they could print and store. That's basically the same as a machine-generated passphrase, except users aren't expected to remember it or use it frequently, so there's less concern about useability. I also like the idea of users electing some M-of-N set of other users whom they trust, and having shares of the recovery key encrypted to their public keys. We discussed ideas like this last year, though the context was a forgotten password rather than lost device [3,4,5]. I'm not sure (b) and (c) should be supported in end-to-end secure software. It seems dangerous to give users the impression of end-to-end security with devices they don't control. I suppose the recovery key mechanism could be used for this if some user really wants to, but I'm not sure (b) or (c) need more support than that. And since users nowadays own smartphones that are always with them, this doesn't seem that important. Trevor [1] https://moderncrypto.org/mail-archive/messaging/2014/000036.html [2] https://moderncrypto.org/mail-archive/messaging/2014/000095.html [3] https://moderncrypto.org/mail-archive/messaging/2014/000362.html [4] https://moderncrypto.org/mail-archive/messaging/2014/000365.html [5] https://moderncrypto.org/mail-archive/messaging/2014/000366.html _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
