Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
RFC: This patch includes the user's DSA key fingerprint in their QR code #14
Request for comment:
The ability to add a user via QR code is already implemented, but misses out on a key benefit of the use of a QR code - currently the QR code contains the username, and Surespot does the rest. For future expansion, I have included the user's DSA (ie. signing) key fingerprint. (I believe this is the one which makes more sense to verify, I may be wrong here).
By allowing a user to invite another user via QR code, and including the fingerprint in the QR, it ensures that the user is getting the correct key returned from the server, making a physical meeting and exchanging Surespot IDs a guaranteed process, where even if the central server is not behaving, or compromised, the user will still have the correct key information available. I have not implemented this into any of the other invite/share methods, as they appear to rely on Internet connectivity, making them prone to a MITM attack. It could be easily added there too as a small extra level of security, as the email link AND surespot server fingerprints would need to match.
+1 for this. Threema has the same thing I believe.
As far as I understood, sceptical users could argue that they doesn't trust you to deliver the right key, be it out of pure evil ;) or because you've been compromised/hacked. This pretty much solves the problem. I didn't look at the code though.