Useable PKI
From IIW
Useable PKI
Thursday 2F
Convener: Steve O.
Notes-taker(s): Andrew H.
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
PKI is 20 years old, ongoing frustrations about lack of adoption
- Consumer adoption has to be zero effort from there perspective - i.e. having the right value proposition for the tech
- Also need to demonstrate that their lives would be better in some way with crypto
- Key management is a still a problem
- Tech experts tend to overestimate the value or purpose of crypto
- There may be value in use of certificates for digital signatures/protection
- In Denmark, everyone has an eID (public/private keys) that they can use for real life purposes. But it would not have happened without the Government doing it for their own purpose.
- Need to find a better mid-way solution for key management, maybe cloud-based/enterprise run, that is ‘better’ than today but not necessarily perfect
- Why not just blockchain it all?
- Lots of discussion about encrypted communications
- What are the issues with PKI that need fixing?
- Nothing is really, truly interoperable
- There are some security flaws that are addressed over time
- What is the problem that needs to be solved?
- It is hard to get end-user applications up and running
- Maybe it’s a user-education problem?
- How do we get herd immunity?
- Expectation management is needed
- Fear of loss of keys equals loss of access to my stuff
- To make it ubiquitous, it probably needs to be adopted by a mass-market producer. e.g. Unix only became ubiquitous when Apple picked it up
- Keybase.io
- Key issuer model - can accommodate all kinds of different key models
- Blockchain
- A secure data store with distributed copies of the ledger
- Blockchain creates the notion of ‘ownership'
- Can create the ability to prove and protect ownership over any data object - global registry
- PGP keys can be stored in the profile which means that the username can be considered trustable to the same level as the key
- http://www.onename.com/ryanshea
- Built on OpenName protocol
- Service providers
- Provide services to fill many of the stated needs (encrypted email exchange, encrypted file sharing, etc)
- Issue is do you trust the service provider
- http://www.keybase.io is moving to a desktop model to enable the ability to detach from the servers and do local processing
- Need to look to correlated/corroborated sources
- The http://www.onetime.com setup ceremonies seem to take effort & is that too much to expect?
- The ‘runtime’ operations - does it take effort to validate that the communication is trusted? Apps still need to be built - but it’s easy to design and build.
- U2F seems to be moving in the right direction
- Seems that removing the CA / central infrastructure wherever possible (for peer to peer at least)