Skip to content
This repository has been archived by the owner on Nov 1, 2017. It is now read-only.

Key escrow #68

Closed
bkeepers opened this issue Jan 17, 2013 · 2 comments
Closed

Key escrow #68

bkeepers opened this issue Jan 17, 2013 · 2 comments

Comments

@bkeepers
Copy link
Contributor

It should be easier to use the app from multiple devices. To do that, we need an easy way to get the key on those devices. A few ideas:

  1. Implement a separate key store service that will save private keys. This should be completely separate from the central data store and ridiculously secure.
  2. Save the key to dropbox. This could even be as an HTML file, which has a big link to the app with the key as part of the hash, which could then be copied into localStorage
  3. Google Authenticator or something like it. I think this requires that the server has the key, so this probably isn't a great option if we want to keep the keys off the server.
@cobyism
Copy link
Contributor

cobyism commented Jan 17, 2013

There was also that idea about using a QR code to transfer between
desktop/laptop and mobile devices 😀

On Wednesday, January 16, 2013, Brandon Keepers wrote:

It should be easier to use the app from multiple devices. To do that, we
need an easy way to get the key on those devices. A few ideas:

  1. Implement a separate key store service that will save private keys.
    This should be completely separate from the central data store and
    ridiculously secure.

  2. Save the key to dropbox. This could even be as an HTML file, which
    has a big link to the app with the key as part of the hash, which could
    then be copied into localStorage

  3. Google Authenticator or something like it. I think this requires
    that the server has the key, so this probably isn't a great option if we
    want to keep the keys off the server.


    Reply to this email directly or view it on GitHubhttps://github.com/Key escrow #68.

@zef
Copy link

zef commented Jan 25, 2013

Dropbox is a nice solution, but it's too permanent and provides a the context about who the key belongs to.

Instead of a true store service I like the idea of sending them in a transient manner like This Message Will Self-Destruct.

Flow could work something like this:

  1. User requests to send private key
  2. Private key is securely stored without any context about owner, identified by a UUID
  3. UUID is transferred to the client receiving the key, mechanism doesn't matter but could go through swordfish account.
  4. Client requests the key, the key is sent and immediately destroyed

Temporary passcode protection could go on top of this too, like they do with This Message Will Self-Destruct.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bkeepers @zef @MikeMcQuaid @cobyism