The phone number approach was being used to authenticate SMS communications.
On Thu, Jul 18, 2013 at 1:54 PM, Sam Bull <sam.hack...@sent.com> wrote:
> On Thu, 2013-07-18 at 20:26 +0200, Rasmus Eneman wrote:
> > >If you're going to handle key creation and exchange invisibly, what
> > use is GPG?
> > Because we would want that infrastructure for the email anyways.
>
> I think his point is that the strength of GPG is in it's trust model. We
> can handle key creation and exchange invisibly, and provide an encrypted
> session. But, we should make the interface clear that the recipient is
> not verified, and provide instructions on how to verify the recipient's
> key (and then sign it).
>
> > We trust the phone number as SIM cards isn't clone-able.
>
> Even if that is true, how are you going to send the phone number over
> the internet in a way which I couldn't just replace with a fake number?
> Basically, that's not going to work.
>
> > If not we should notice the user, explain why this could happen and
> > ask him or her if the new key is trusted.
>
> Ignore the phone number approach, but this is what should happen if a
> new key is detected. It again needs to be clear that the new key needs
> to go through verification as before.
>
>
--
Sincerely,
Josh
--
Mailing list: https://launchpad.net/~ubuntu-phone
Post to : ubuntu-phone@lists.launchpad.net
Unsubscribe : https://launchpad.net/~ubuntu-phone
More help : https://help.launchpad.net/ListHelp
