[messaging] Peerio
Trevor Perrin
trevp at trevp.net
Sat Feb 28 12:19:02 PST 2015
On Sat, Feb 28, 2015 at 11:57 AM, Nadim Kobeissi <nadim at nadim.computer> wrote:
> Re. Trevor and dkg,
> I easily concede that further study is required. If it turns out our current
> passphrase model is not expensive enough, I'll hold myself to updating the
> Peerio client to have more stringent parameters on how generation is
> handled.
IIRC, miniLock originally focused on the software choosing a random
passphrase for the user, instead of user choice?
That gives you good control of the passphrase entropy. If you're
taking any approach where a passphrase-encrypted private-key is
exposed to other users or the server, that's what I'd recommend.
I'd also consider making server storage of the passphrase-encrypted
private-key optional, since I think for many users it's an unnecessary
risk.
(But this would require considering the use cases for key portability
in more detail, which might be a good further thread - multidevice,
lost-device, internet cafe, etc.)
Trevor
More information about the Messaging
mailing list