The issue is that of "identity". There is no real way to know that someone's public key is theirs. Yes, the key is accompanied with additional information such as name, and email address, and that is signed by the private key so we know it all goes together. However we don't know it is not all simply made up by someone else.
This is solved in many ways - I have a PGP key fingerprint on my business cards. This means that after a face to face meeting, someone can check the person they actually met matches a public key they find on the internet. They still do not know for sure that the person they met is Adrian Kennard, but they know they are communicating with the person they met (assuming I am not giving someone else's key out for some obscure reason).
The other way is a "web of trust" - when you meet someone, and by some means you confirm their identifying information in their public key matches up to them (check passport, driving licence, etc), then you counter sign their key. This is what happens at key signing parties (honest, that is all, it is not some euphemism).
The idea is that with people signing other people's keys you can create a chain of signatures from someone you know personally to the key you want to check. And indeed, by having multiple paths, and a score of "trust" in each signature, you can create a threshold for trusting the "web".
This ultimately allows you to trust people you do not know without the need for a trusted central authority model. Obviously, if trusted central authorities, like banks, and companies house, actually participated, that would help massively.
So how could we improve the web of trust?
Well, I wonder if this is actually a role the likes of Facebook could take on. This already creates a web of contacts, and most of my "friends" I know personally and can be sure the Facebook persona is the person I know. They would need to prompt people to confirm how well they know their friends, not when they follow but maybe a few months later. But ultimately that could mean allowing a signature chain to be created to join up digital keys...
I have not worked out the details - as one issue is that not everyone has keys, and I have not told Facebook my public key, but done right it could mean people that do put public keys on Facebook could get a load of addition signatures based on a web of social media trust.
I have also not tried to work out how the whole thing could be heavily trolled.
Comment?
Keybase is trying todo something similar to this: https://keybase.io/
ReplyDeleteWhat I find interesting about Keybase is how it turns it around.
DeleteI don't know RevK in real life, I just follow the blog. So proof that a pgp key is Adrian Kennard isn't so useful.
With the proofs done with keybase, I can send a message to the future provable owner of revk.uk, and when that ownership is proven my client will automatically rekey the conversation to grant him access.
Keybase is very much what you have in mind. It'll let you import existing PGP keys, too - A&A might consider doing that!
ReplyDeleteThe problem with the web of trust is always that you don't have to go many hops before you come across someone that you trust but I distrust. Scoring through multiple paths helps to some extent, but its still a problem.
ReplyDeleteJust agreeing with the other commenters - Keybase is brilliant!
ReplyDeleteDo you watch any of the Dave Gorman programmes? "Modern Life Is Good-ish". I think you would like it.
ReplyDeleteNot seen the latest series yet. Yes, very good.
DeleteAnd James Veitch has some good stuff too. He hasn't hit mainstream media yet - but he should do. Quest Channel would love him. He's done some TED talks and some good YouTube content.
ReplyDeleteSounds like a variant of blockchain to me. However, if you store identity in the blockchain in an immutable manner, how do you execute a right to be forgotten, or even change identities?
ReplyDelete