monkeysign issueshttps://0xacab.org/monkeysphere/monkeysign/-/issues2018-02-15T09:52:05Zhttps://0xacab.org/monkeysphere/monkeysign/-/issues/6consider local key exchange mechanisms (geysigning, safeslinger)2018-02-15T09:52:05Zanarcatconsider local key exchange mechanisms (geysigning, safeslinger)The [geysigning project](https://github.com/muelli/geysigning), which reuses (and improves on!) parts of the Monkeysign code, introduces a novel idea of *not* depending on the keyservers to fetch the public key material before signing. T...The [geysigning project](https://github.com/muelli/geysigning), which reuses (and improves on!) parts of the Monkeysign code, introduces a novel idea of *not* depending on the keyservers to fetch the public key material before signing. To quote their README file:
> In contrast to caff or monkeysign, this tool enables you to sign a key without contacting a key server. It downloads an authenticated copy of the key from the other party. For now, the key is authenticated by its fingerprint which is securely transferred via a QR code. Alternatively, the user may type the fingerprint manually, assuming that it has been transferred securely via the audible channel.
I haven't figured out exactly *how* the key material is copied - it is presumably done through some Avahi protocol?
OpenKeychain has its own way of doing those transfers, which are implemented as a multi-party "keysigning party" protocol of some sort. It uses an app called [SafeSligner](https://www.cylab.cmu.edu/safeslinger/) for which there is a [Python library](https://github.com/SafeSlingerProject/exchange-python-web) we could reuse as well.
List of possible implementations:
* [geysigning][geysigning project] - homegrown avahi + httpserver
* [SafeSlinger][] - custom protocol?
* [FlyWeb](https://flyweb.github.io/posts/2016/11/01/introducing-flyweb.html) - standardized web-based avahi + httpserver?Monkeysign 3.0.0https://0xacab.org/monkeysphere/monkeysign/-/issues/15wrap labels dynamically2018-02-15T09:52:05ZJerome Charaouiwrap labels dynamically*Imported from bugseverywhere, created on 2013-10-20**Imported from bugseverywhere, created on 2013-10-20*Monkeysign 3.0.0https://0xacab.org/monkeysphere/monkeysign/-/issues/16don't use popups2018-02-15T09:52:05ZJerome Charaouidon't use popups*Imported from bugseverywhere, created on 2013-10-20**Imported from bugseverywhere, created on 2013-10-20*Monkeysign 3.0.0https://0xacab.org/monkeysphere/monkeysign/-/issues/18windows port2018-02-15T09:52:05ZJerome Charaouiwindows port*Imported from bugseverywhere, created on 2013-10-20**Imported from bugseverywhere, created on 2013-10-20*Monkeysign 3.0.0https://0xacab.org/monkeysphere/monkeysign/-/issues/19batch mode2018-02-15T09:52:05ZJerome Charaouibatch mode*Imported from bugseverywhere, created on 2013-10-20**Imported from bugseverywhere, created on 2013-10-20*Monkeysign 3.0.0https://0xacab.org/monkeysphere/monkeysign/-/issues/21port to GTK 32018-06-18T15:44:16ZJerome Charaouiport to GTK 3*Imported from bugseverywhere, created on 2013-12-01**Imported from bugseverywhere, created on 2013-12-01*Monkeysign 3.0.0https://0xacab.org/monkeysphere/monkeysign/-/issues/22merge with python-gnupg2018-02-15T09:52:05ZJerome Charaouimerge with python-gnupg*Imported from bugseverywhere, created on 2013-10-20**Imported from bugseverywhere, created on 2013-10-20*Monkeysign 3.0.0https://0xacab.org/monkeysphere/monkeysign/-/issues/26wizard? add explanations on what will happen2018-02-15T09:52:05ZJerome Charaouiwizard? add explanations on what will happen*Imported from bugseverywhere, created on 2013-10-20**Imported from bugseverywhere, created on 2013-10-20*Monkeysign 3.0.0https://0xacab.org/monkeysphere/monkeysign/-/issues/31encode a "can you keep my picture" in the qrcode2018-02-15T09:52:05ZJerome Charaouiencode a "can you keep my picture" in the qrcode*Imported from bugseverywhere, created on 2013-10-20**Imported from bugseverywhere, created on 2013-10-20*Monkeysign 3.0.0https://0xacab.org/monkeysphere/monkeysign/-/issues/42Keep camera frame containing qr-code for safekeeping2018-02-15T09:52:05ZJerome CharaouiKeep camera frame containing qr-code for safekeepingIt would be awesome if Monkeysign would, by default, keep a copy of qr-codes containing fingerprints of keys being signed.
Here's a little snippet demonstrating how to use OpenCV and zbar to do that: https://0xacab.org/snippets/4
As a ...It would be awesome if Monkeysign would, by default, keep a copy of qr-codes containing fingerprints of keys being signed.
Here's a little snippet demonstrating how to use OpenCV and zbar to do that: https://0xacab.org/snippets/4
As a bonus, it uses zbar data to visually identify the qr-code containing the fingerprint in the saved image. This probably eliminates an attack scenario where a bad qr-code would be placed behind the user in an attempt to have the wrong key signed.
Obviously, the difficult part is integrating this in a the GTK UI. Probably this will be easier after #21 is fixed.Monkeysign 3.0.0