Workplan for Year 1

Proposed Work Plan

Research Questions

  1. What kind of data on a users desktop or laptop computer (PC) needs to be synced and stored securely on their mobile phone? Which data is most critical or most helpful to have while on the go?
  2. Should the model for data syncing be a direct PC to Mobile sync, or can it take advantage of cloud or wider network based resources?
  3. Can the syncing or identification of trusted third-parties utilize existing “Web of Trust” resources such as public OpenPGP directory servers, or do relationships that existing in this data need to be obscured?
  4. What kind of verification needs to be put in place to ensure that the syncing between PC and Mobile does not suffer from man-in-the-middle attacks or other intrusions?
  5. What is the best storage mechanism for secure data on a mobile device, an encrypted file system driver, or an encrypted relational database?

Core Activites

  1. Identify target users, user stories, threat levels, bad actors
    1. Define targets for level of security
    2. Baseline / typical solution
    3. Hardened / locked down solution
    4. Model user stories and at-risk assets
      1. Low risk: public verified keys
      2. Medium risk: mobile private keys
      3. High risk: private keys
  2. Design and Prototype Solutions
    1. Secure Sync between Desktop and Mobile
    2. Key / Token Management on Mobile
    3. Secure File Storage solution

Proposed Prototypes

The project will implement one or more prototypes of the PSST system that support syncing of secure data from the following applications:

  1. Gibberbot to Pidgin Secure Messaing OTR Key Sync
  2. Android Privacy Guard to Gnu Privacy Guard Desktop Public and Private Key Sync
  3. Root Certificate Authority storage and sync to Android CACertMan/CACerts.bks
  4. Shared Secure File System: secure file sharing between mobile and desktop
    1. NoteCipher: add support for all file types to existing “secure notepad” app
    2. Personal sync between devices not multiuser (i.e. not dropbox)

Timetable

Timetable Task Detail

Task Detail

  1. Auditing
    1. Existing software and services will be inspected, tested and vetted
  2. Development Sprint
    1. Each sprint will last 6 weeks
    2. All code will be managed and logged in a public version control system
  3. User Testing and Design Review
    1. Promote the current stable release of prototype to a select group of users
    2. Hold design review meetings with all team, partners and others relevant
  4. Publishing Papers / Specifications
    1. Publicly share proposal for any new specifications or services
    2. Post documentation of best practices determined

Milestones

  • October 1 - December 31, 2011: Two six week development sprints
  • January 1 - March 1, 2012: User testing and design review
  • One six week development sprint
  • March 1 - March 31, 2012: User testing and design review
  • One final development iteration
  • Final review and publishing of spec / paper

Also available in: PDF HTML TXT