Using third-party key management (at least on android/mobile)

#1

c.f. https://github.com/deltachat/deltachat-android/issues/827

I was happy to find an app like deltachat, but I have one very big gripe with it, which is key management. I understand that that is being worked on, but I think the app should really offer the option to outsource this, like k-9 Mail does (I’m not sure if it works only with a key manager or if it can provide its own too). Delta Chat could of course provide its own key manager too, so no third party app is necessary to use the app. But for me, being able to manage this with external tools is vital. Without that, the app just feels like a stopgap solution to me.

2 Likes
#2

key managment? do you mean your own key or also the keys of the people you’re talking with?
Also it should be “hidden” in the settings and with a warning when you begin to modify it IMHO. ( such a warning as firefox has one when you go to about:config)

#3

I personally don’t really care that much about being able to manage my public trusted keys, but it’s also a good idea. And about the warning… fine, give out a warning, but what’s important to me is that I can handle keys with an external app and, for example, give permission to use the key to delta chat for 30 mins and stuff like that

#4

Personally I think openkeychain (used e.g. by K9) is rather annoying. And people will not understand why they need such a “useless” app. I think as option would be okay, but the automatic, silent key handling has its advantages.

2 Likes
#5

yes, but if you want to share a key between devices, it just doesn’t really work… at least not yet with not accepting keys with passphrases and giving no feedback as to the error. And the thing about not being able to choose a file in the settings is just weird.
Anyway, having it as an option would be great. And if you don’t have another app installed for key management, android would just default to delta chat’s provider without even prompting the user. I don’t know how that works on iOS though

#6

On iOS we have to publish the key managment app from the same developer account so we can create an app group where the apps can comunicate. At least thats how I understood it. If thats the case we don’t really need such an extra app, because it can’t be universal like the open keychain apps on android.

#7

Also you’re kinda asking two things at once here:

  • Importing a keyfile into dc
  • Key managment with an seperate app (you mentioned timed access, but that would mean the key managment app does the encryption doesn’t it? otherwise timed access is not usefull in increasing security, because if you don’t trust dc and give it the key for 30min, you might as well give it the key forever, because whats stopping a malicious version of dc to copy it in the 30 min timeframe)

Right?