Additionally keep static qr codes for offline out-of-band verification?


#1

The advantages:

  • works offline :wink: (for people who do not have a mobile data flatrate)
  • The QR codes could even be printed on visiting cards or similar

The disadvantages:

  • Actually only one direction is verified (if Alice scans Bob’s code, A can be sure that she chats with B. - But Eve could scan B’s code and do as if she was A without B noticing). So, B can’t be able to add A to a verified group.
  • B could ask A whether the verification worked and then be sure that he chats with A but DC won’t know

My opinion is that nevertheless, this should be added as an additional feature (like, if a scanned QR code is “too old” or there is no internet connection, show a warning to the user and do a one-direction offline out-of-band verification).

Any opinions?


#2

Continuing https://github.com/deltachat/deltachat-android/issues/756 here.


#3

what about doing the offline verification in-time but using a direct connection via Bluetooth or wifi???


#4

I don’t know how this qr verification process work but I am not sure why this need to use Internet/email-server to do a physical qr scan verification


#5

Generally a good idea, if this can be implemented user-friendly… From my experience something like this tends to be buggy but in general, good idea.

r10s:

the verification is not only about transferring a key but also about receiving the key of the other side and about knowing that the other side knows that you have the key. this requires a network connection.
even if we could delay this in a way, there would be no clear verification result after scanning and it would be confusing ux-wise when and if you can add the contact eg. to a verified group.


#6

I agree with this, what I say is that it would be even better if that network connection is a private direct connection between the two devices, or there are a real need for this to be transported using the email?


#7

I just cited r10s to answer your other question, and he probably didn’t think of this.

And stil…


#8

answering to myself, probably it is easier to just use the email, in the end you want to use the email to send the message to the other peer, and it is easier to just use the email, than implementing a way to connect offline :wink: