[messaging] Multiple devices and key synchronization: some thoughts

Michael Rogers michael at briarproject.org
Sat Jan 3 00:06:54 PST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/01/15 20:44, Trevor Perrin wrote:
> On Fri, Jan 2, 2015 at 1:35 AM, Michael Rogers
> <michael at briarproject.org> wrote:
>> 
>> * The existing device introduces the new device to the user's
>> other devices (if any) and the user's contacts' devices. This
>> involves brokering a key exchange between each pair of devices to
>> set up an encrypted and authenticated link.
> 
> 
> That's a reasonable addition.
> 
> Without a single "master" or "identity" key though, I'm not sure
> how TOFU or out-of-band verification (like "fingerprints") would
> work.
> 
> For example, suppose I wanted to print something on my business
> card that was sufficient for someone to send a message that all my
> devices can decrypt.
> 
> That's possible with a single master key, or with signatures,
> since someone could lookup my public key from the fingerprint and
> perhaps signatures from that key over device-specific keys.
> 
> But it doesn't seem possible with this new proposal, since it
> would require interaction with one of my devices to "broker"
> knowledge of my other devices?

Let me say first of all that I don't think we should get hung up on
business cards. Billions of people use mobile phones as their main or
sole messaging devices; very few people print their own business
cards. We should focus on the tech that people actually use.

Having said that, if you wanted to print something on a business card
in this model, it would be one or more QR codes. Each QR code would
contain contact details for one of your devices, including a
device-specific public key for authenticating a forward-secret key
exchange.

Having established a connection with one of your devices, your new
contact would then be introduced to the other devices by the first device.

If you wanted to skip the business card you could just display the QR
code on the screen of the first device.

Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJUp6MeAAoJEBEET9GfxSfMDYQH/10fnigVx8Fcz5yAlCmJQH7k
JXf2o7jFeHuSs9CmNF8ihO1navWmxPieQ997q7bUU8SQxchVvb49ocCr35czAO7S
S8xT3AwomjAc5qBbVt1YMwy9G/1Ar43+21uawo/KuxEOpXSNla5iACdcvO51jAEH
bAYJAo2Cm+mXTntaNre55X8V4IKFlsXbAyJ6JJUI+MCNaKHm30UmYk8Mg43l57XE
y+RQrVuCTtDvJdlIEP6W1Y21helQlQbV0PpAROHol1L7Bq/f9EgU5Dn4uv0QtCdm
/mCcJdgHNEo7KcECl0nxCk9vk6znUw+2yrsRnIZoLbquLFiufdtZcBd6pvSV91Q=
=Qt3Q
-----END PGP SIGNATURE-----

More information about the Messaging mailing list