Facebook PGP Application: Building a Facebook Key Server, Study Guides, Projects, Research of Computer Science

The development of a facebook application acting as a pgp/gpg key server. The authors detail the limitations of existing key servers and their solution, which includes using facebook to establish marginal validity and key management. Prior work, progress, and milestones.

Typology: Study Guides, Projects, Research

Pre 2010

Uploaded on 08/18/2009

koofers-user-obp
koofers-user-obp 🇺🇸

10 documents

1 / 2

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Facebook PGP Application Milestone
Michael Dietz
November 6, 2008
Proposal Revisited
In our initial proposal we detailed a system for verifying someone you have been chatting with using a PGP enabled facebook
application. While Devin has been working on a Pidgin plugin to complete the chat component of this project, I have been
working on building a facebook application to store and verify public keys. We have decided to expand our initial proposal
and attempt to create a facebook application that acts as a PGP/GPG key server.
Prior Work
Current PGP/GPG Key Servers
Existing PGP/GPG key servers, like http://pgp.mit.edu/, have several limitations. First of all, they only act as an
aggregator for public keys and provide no way for a PGP/GPG user to verify that a public key stored on the key server is
valid. This operation is usually accomplished via out of band communication. Furthermore, existing key servers will serve up
private information such as email addresses to anyone who requests the public key associated with a name or email address.
Finally, one of the most popular key servers does not support public keys that include an identifying image. The extraction
and display of images included with public keys is an important part of our project and is functionality that we must include
in our facebook keyserver.
Crypt GPG PHP Extension
GPG provides no API for developers to use programatically, all of the GPG functionality is accessed via the Unix command
line. The Crypt GPG extension for PHP circumvents this problem by creating an API wrapper on top of the command
line GPG functions that provides an interface for PHP developers to use. This extension does not yet provide the ability to
extract the image stored in a public key so this functionality must be added.
Facebook key server progress
We have a facebook application that provides the most basic key server functionality, namely storing keys! A facebook user
that adds our application can store their public key with our application and inspect the details associated with it. At this
point we have made the design decision that a facebook account should only have one public key associated with it. This
makes key management simple since key revocation and updating can be done on a per-facebook-account basis, but we may
have to revisit this decision if we find that our application wish to associate several keys with their account.
Facebook key server strategy
Using facebook to establish marginal validity
We intend to present a user that wishes to validate a public key with an interface that will allow them to validate a key
using the facebook web of trust. This will be accomplished by presenting the user with the image associated with the public
key under scrutiny as well as a number of photos selected from the photos tagged by the facebook friends of the public key’s
owner.
Key management using facebook
We intend to allow users to sign the public keys of other users of our application. This can be accomplished by allowing
application users to push pubic keys with new signatures to our application. Furthermore, facebook allows us to perform
actions such as presenting the newly signed public key to its owner before pushing it to the key server.
1
pf2

Partial preview of the text

Download Facebook PGP Application: Building a Facebook Key Server and more Study Guides, Projects, Research Computer Science in PDF only on Docsity!

Facebook PGP Application Milestone

Michael Dietz

November 6, 2008

Proposal Revisited

In our initial proposal we detailed a system for verifying someone you have been chatting with using a PGP enabled facebook application. While Devin has been working on a Pidgin plugin to complete the chat component of this project, I have been working on building a facebook application to store and verify public keys. We have decided to expand our initial proposal and attempt to create a facebook application that acts as a PGP/GPG key server.

Prior Work

Current PGP/GPG Key Servers

Existing PGP/GPG key servers, like http://pgp.mit.edu/, have several limitations. First of all, they only act as an aggregator for public keys and provide no way for a PGP/GPG user to verify that a public key stored on the key server is valid. This operation is usually accomplished via out of band communication. Furthermore, existing key servers will serve up private information such as email addresses to anyone who requests the public key associated with a name or email address. Finally, one of the most popular key servers does not support public keys that include an identifying image. The extraction and display of images included with public keys is an important part of our project and is functionality that we must include in our facebook keyserver.

Crypt GPG PHP Extension

GPG provides no API for developers to use programatically, all of the GPG functionality is accessed via the Unix command line. The Crypt GPG extension for PHP circumvents this problem by creating an API wrapper on top of the command line GPG functions that provides an interface for PHP developers to use. This extension does not yet provide the ability to extract the image stored in a public key so this functionality must be added.

Facebook key server progress

We have a facebook application that provides the most basic key server functionality, namely storing keys! A facebook user that adds our application can store their public key with our application and inspect the details associated with it. At this point we have made the design decision that a facebook account should only have one public key associated with it. This makes key management simple since key revocation and updating can be done on a per-facebook-account basis, but we may have to revisit this decision if we find that our application wish to associate several keys with their account.

Facebook key server strategy

Using facebook to establish marginal validity

We intend to present a user that wishes to validate a public key with an interface that will allow them to validate a key using the facebook web of trust. This will be accomplished by presenting the user with the image associated with the public key under scrutiny as well as a number of photos selected from the photos tagged by the facebook friends of the public key’s owner.

Key management using facebook

We intend to allow users to sign the public keys of other users of our application. This can be accomplished by allowing application users to push pubic keys with new signatures to our application. Furthermore, facebook allows us to perform actions such as presenting the newly signed public key to its owner before pushing it to the key server.

We can also allow users to easily revoke/manage their own keys or view their current web of trust using the facebook web interface. The facebook interface can also allow us to push notifications concerning keys in their web of trust to our application users.

Facebook key server Milestones and Progress

Completed:

  1. Build a facebook application that can store data using the facebook datastore API.
  2. Allow an application user to upload a public key.
  3. Allow an application user to manage their public key.

In Progress:

  1. Create an interface for application users to validate public keys using the public key embedded photo and tagged photos of another application user.
  2. Allow application users to sign their friends’ public keys.
  3. Integration with Devin’s Pidgin plugin.