Updated Google Summer of Code 2015 (markdown)
Dominik Schürmann
parent
b2ac15abe5
commit
d4aabca295
|
|
@ -101,15 +101,51 @@ Unit tests are important, especially for a security-related application like Ope
|
|||
|
||||
|
||||
## Tasker Plugin
|
||||
**Brief explanation:** Tasker is an app for automating tasks on Android, e.g., 'automatically send a message to someone when I am at home'. Having OpenPGP support in Tasker would allow for much better transport security for tasks related to end-to-end communication. Thus, a [Tasker plugin](TODO) should be developed that uses our [OpenPGP API](TODO) to allow automatic encryption/signing/decryption/verification. A good integration into Tasker and an easy UI is required.
|
||||
|
||||
## Keys in DNSSEC/DANE?
|
||||
* https://github.com/rtreffer/minidns/issues/7
|
||||
* http://tools.ietf.org/html/draft-ietf-dane-openpgpkey-00
|
||||
* http://tools.ietf.org/html/draft-ietf-dane-openpgpkey-usage-00
|
||||
**Expected results:** Tasker plugin for encryption/signing/decryption/verification
|
||||
|
||||
## Activity hijack
|
||||
* pic
|
||||
https://github.com/open-keychain/open-keychain/issues/841
|
||||
**Knowledge Prerequisite:** Java programming, understanding of DNS
|
||||
|
||||
**Skill level:** medium
|
||||
|
||||
**Mentor:** Dominik Schürmann
|
||||
|
||||
**Contact:** [Mailinglist](http://groups.google.com/d/forum/openpgp-keychain-dev) or over XMPP (Jabber-ID: dominik@dominikschuermann.de)
|
||||
|
||||
|
||||
## Keys in DNSSEC/DANE
|
||||
**Brief explanation:** Together with XMPP [(see their GSoC idea)](https://community.igniterealtime.org/docs/DOC-2892) we would like to extend the [MiniDNS library](https://github.com/rtreffer/minidns) with DNSSEC support to allow the retrieval of OpenPGP keys from DNS entries.
|
||||
|
||||
MiniDNS is a DNS client library, which allows Android Apps and Java programs to resolve DNS resource records (RR). On Android, some resource records could not be resolved using only the Android API,
|
||||
for example DNS SRV RRs. Which was one of the main reasons MiniDNS was invented. Adding support for DNSSEC would be the logical next step to improve the security of the software using MiniDNS. See also [https://github.com/rtreffer/minidns/issues/7](https://github.com/rtreffer/minidns/issues/7).
|
||||
|
||||
How OpenPGP keys should be published in DNS records is explained in ["Internet Draft:
|
||||
Using DANE to Associate OpenPGP public keys with email addresses"](http://tools.ietf.org/html/draft-ietf-dane-openpgpkey-01) and ["Internet Draft: Best Common Practise for using OPENPGPKEY records"](http://tools.ietf.org/html/draft-ietf-dane-openpgpkey-usage-01). OpenKeychain should be extended to allow importing keys from these records.
|
||||
|
||||
**Expected results:** DNSSEC implementation for MiniDNS and simple import of keys from DANE.
|
||||
|
||||
**Knowledge Prerequisite:** Java programming, understanding of DNS
|
||||
|
||||
**Skill level:** hard
|
||||
|
||||
**Mentor:** Dominik Schürmann
|
||||
|
||||
**Contact:** [Mailinglist](http://groups.google.com/d/forum/openpgp-keychain-dev) or over XMPP (Jabber-ID: dominik@dominikschuermann.de)
|
||||
|
||||
## Protection against "Activityjack Attack"
|
||||
**Brief explanation:** Lets think of an attacker that prepares an app without special permissions that has one activity that looks exactly like OpenKeychain's passphrase dialog. The attacker can prepare the activity to a point it can not be differentiated from OpenKeychain's. This is especially easy because OpenKeychain is open source (copy paste the passphrase dialog, remove actual functionality and you are done).
|
||||
The proposed solution from [CommonsWare's Blog](http://commonsware.com/blog/2014/08/25/defending-against-activityjack-attacks.html) is that the user chooses a picture that is displayed every time the passphrase dialog pops up. This picture can not be known by the attacker (we are not talking about apps with root access!). Now the user can differentiate benign and malicious activities manually.
|
||||
|
||||
**Expected results:** Protection against "Activityjack Attack"
|
||||
|
||||
**Knowledge Prerequisite:** Java programming, understanding of DNS
|
||||
|
||||
**Skill level:** hard
|
||||
|
||||
**Mentor:** Dominik Schürmann
|
||||
|
||||
**Contact:** [Mailinglist](http://groups.google.com/d/forum/openpgp-keychain-dev) or over XMPP (Jabber-ID: dominik@dominikschuermann.de)
|
||||
|
||||
## Improved Yubikey support
|
||||
**Brief explanation:** OpenKeychain has support for secret keys stored on a [Yubikey](https://www.yubico.com/products/yubikey-hardware/yubikey-neo/) for most crypto operations. However, there is no support currently for generating a new secret key on the Yubikey, associating a public key with the secret key material stored on the Yubikey, or exporting a secret key to a Yubikey. All of these operations require a [fairly difficult](https://www.yubico.com/2012/12/yubikey-neo-openpgp/) workflow on the command line using GnuPG and subsequent import of a stub secret key. Furthermore, there is no support for certification operations, which means that secret keys of this type can not be used to certify other keys, or edit/revoke its user ids and subkeys. Ideally, a user should be able to use his Yubikey without limitations using only OpenKeychain.
|
||||
|
|
|
|||
Loading…
Reference in New Issue