Can't load key when hosting privately

[xtemp3r-zz]

setup: Ubuntu 18.04.4 LTS Server version: Apache/2.4.29 (Ubuntu)

1st I've replaced your domain with mine - I used this command to do so: grep -rli 'old-word' * | xargs -i@ sed -i 's/old-word/new-word/g' @

2nd I've added also this in .htaccess file so it can load files without extensions

now everything seems to load fine except cant connect with key

you can try on https://xtemp3r.net/keystuff/

[bmatusiak]

for security, the webcrypt app is restricted and can only be hosted from domain "apps.crp.to"

[xtemp3r-zz]

Can you point me where is this defined ?

[xeor]

See https://github.com/trustcrypto/OnlyKey-Firmware/issues/103 as well. This is a real bummer for me making me not want to use the keys at all.

This is something that should be configurable..

[onlykey]

@xeor Working with @bmatusiak to create a 3rd party developer api but yes for now it is limited to the apps.crp.to origin. If it wasn't anyone could send user's a phishing link to decrypt a PGP message. Making it configurable where there was a whitelist is an option but thats not a feature we are doing for the next release.

[xeor]

On https://onlykey.io/blogs/news/onlykey-fall-2020-update, there is a column:

3rd-party developer API. We have developed an innovative way to permit 3rd-party developer use in external applications. OnlyKey generates an unlimited number of derived keys which are unique to a developer’s domain and may be used in web applications. We plan to release this on NPM soon.

Is this what you are referring too?

Can't say I'm not exited!! ;D

[onlykey]

@xeor Its basically what is described here - https://github.com/Nitrokey/nitrokey-webcrypt/issues/14

Its not PGP though, essentially there are three simple developer functions

okconnect - Exchange a transit key between web app and OnlyKey (X25519 shared secret) to encrypt all future communication

okgetpublic - Gets a derived public from OnlyKey based on the developers web origin, and optionally some additional data.

oksharedsecret - Gets a shared secret from OnlyKey based on input public key, the developers web origin, and optionally some additional data.

So with shared secret web apps can establish shared secrets between two users with OnlyKeys, or we have the option to use a passphrase for users without a key. There is also an option to require press on OnlyKey (flashes blue and you have to press to generate shared secret). Shared secret can then be used in a developer web app for pretty much any crypto purpose, use for AES key to encrypt data, use for X25519 key to sign data, encrypted web pages, identities the possibilities are endless. The method mitigates phishing because keys are unique to developer web origin, if the site is mysite.com and a phishing page is set up at notmysite.com to trick user's it just creates completely different keys. It does require that a developer correctly secure their site though, obviously if your own web site is hacked an attacker would have control.

[Madydri]

Hello, is there news on this subject (limiting use to "apps.crp.to") 2 years later. As for phishing, an end user that is asked to use "apps.crp.to", is even unable to know what is "apps.crp.to", as asking him to go to "acadabre.good.site" ! But a user cas be used to his own domainname "orders.mydomain.name", and for example have to goto "cryptokey.mydomain.name" for decrypting. He still needs to buy the onlycrypt-handware key :D , but layout and domain could be adapted and probably this brings more acceptance has to have to outsource the decryption to (do not take it bad) "apps.crp.to" that is not necessary know by every user on the world. Thanks for your work.

[onlykey]

@Madydri Yes, there has been progress. We plan to release 3rd party support on NPM, that effort will be here https://github.com/trustcrypto/node-onlykey

And there is a WIP here https://github.com/bmatusiak/node-onlykey

I don't know exactly what the other questions posted are asking.

[Madydri]

good news ! Thanks 👍