In a way, this seems like an at-speed version of the Social Security Number's slow-motion train wreck: just as SSNs are not secret (and in many cases are actually pretty easily guessable), so too possession of a phone number is too-easily changed.
We need a good solution to identity. Right now most web services use 'has control of an email account,' while some others — to include email services — use 'has control of a phone number.'
I don't trust governments in general, so 'is vouched for by a state' doesn't really work either, although for many institutions (e.g. banks) that's probably good enough (if a government wishes to confiscate one's funds, it will do that, rather than create a fake driver's license and hand it to someone to clean one's accounts out).
Perhaps some sort of social identity is possible? 'Charles is vouched for by Alice, Bob, Dave and Frank' might work, although there's the issue that someone has to vouch for each of Alice, Bob, Dave and Frank — there's a Sybil attack where someone, or a group of real people operating together, could create false identities.
For my own accounts though, if I nominate two persons I work with, four persons I go to church with, four more in my family and three friends then I'd feel pretty good if nine of those were allowed to vouch for my email. I think.
We have one: public keys (or more appropriately, their fingerprints). Building social trust on top of that is another layer of scope; you use the fingerprint to ensure you're communicating with a consistent digital entity, and then have an out-of-band way of confirming (for yourself) that this consistent digital entity is equivalent to this other consistent physical entity. Note that here I'm treating a web of trust as an out of band exchange: it only works because you have an existing (out of band) connection to someone, or because you are implicitly trusting consensus. "Bootstrapping" trust, at least in this context, is a psychological/social question that really cannot be answered technologically, and is different for every person.
That's all well and good, but the problem is finding a business-sustainable way to scalably deploy such a system.
> That's all well and good, but the problem is finding a business-sustainable way to scalably deploy such a system.
Is this effectively not how keybase.io works / what they are doing? Bootstrapping identity is pretty easy, unless you're working remotely. Even then, trust-on-first-use can probably go marginally farther than what we have now. I don't think the problem is scaling that web of trust, as not everyone should need to know / sign for every employee immediately.
I think the bigger issue is just getting people to adopt public keys and digital identities based on them. Hijacking identity through social engineering is pretty rare, even if it's not particularly "hard." So most people won't want to bother with something like this until it's too late.
Keybase is definitely working on creating a trust bridge between physical identity and (a specific type of) digital identity. Whether they've managed to do it in a scalable, business-sustainable way remains to be seen.
Let me be clear: that's not a slight against them; from a business standpoint I find no good analysis or speculation on their financial numbers and see no publicly commented monetization strategy). The reality of the world today is that if you can't make something economically self-perpetuating, it will almost certainly eventually fail -- especially if the problem you're trying to solve is one of as large a magnitude as literally any social interaction on the internet (they all involve connecting digital identities to physical ones).
From a technical standpoint, the primary problem I have with Keybase is that it uses PGP. I'm not [1] the only [2] person (and, since I'm effectively 100% unknown, I'm far, FAR from the most prominent, who is arguably Bruce Schneier [3]) to criticize PGP, but at the core of it, even ignoring substantial usability issues, have you ever tried to forward a PGP message? It's sort-of possible, if you re-encrypt and re-sign everything, but it's certainly not practical and definitely not scalable. Sharing and re-sharing is the cornerstone of much of the social internet, and PGP renders it effectively impossible.
Keybase has a really, really cool body of work surrounding "connect this PGP key to this physical identity", but unfortunately PGP keys are only one in a small subset of cryptographic identities, which is itself an even smaller subset of digital identities in general. I get why they've done it this way; the alternative is to write your own cryptographic protocol that nobody is using, which is a much riskier thing (speaking from experience [4]). But at the end of the day, all of Keybase hinges around using PGP (or a PGP-like approach), and I'm very skeptical that's a viable solution to the social problems we have today.
I believe this is a solvable UI / UX problem; what you are in fact criticizing is not the OpenPGP format of asymmetric keys, but rather the conventional implementations of PGP, based around GPG. I agree that GPG is not very user-friendly for the use cases at hand; but surely things can be improved on this front while not ditching the general PGP model itself?
edit as to the more technical issues, e.g. lack of PFS, core issue of initializing WoT, the defaults in the PGP format etc., yes, they suck, but surely one could iterate on the UX side of things, abstracting all internals behind a more general PGP API, and later gracefully changing the internals themselves, too? Not saying it's a piece of cake or anything!
To your first point: I agree that it's not the key format that's the problem with forwarding -- so, you could use a PGP key definition for a different message format that worked better, and as long as you ignored all of the extra stuff in a PGP public key definition, it's no harm no foul. At its core, it's just a public key.
But that's not what breaks forwarding, the actual message format does, and that isn't just a UI/UX problem. You must personally decrypt and re-encrypt the message against the public key of the person you're forwarding it to, and if the original author signed it you then need to somehow encapsulate the signature (which is outside of PGP spec), and then you're still left with the key distribution problem, which becomes exponentially more difficult with each tome the message is forwarded. That's not just a UI/UX problem, that's also a fundamental technical failing of the PGP message. PGP is incompatible with social.
That's not to say, by any stretch of the imagination, that these are unsolvable problems. Quite the opposite, actually; I hope at the very least that my company has made some decent progress down the road to solving them. I'm saying only that PGP simply isn't the vehicle to take us there, because it is (in my experience) a very poor design for general-purpose usage (especially social).
To your edit: unfortunately PGP encapsulation is really, really poorly situated to construct general-purpose abstractions on top of. It just doesn't work with reused (ie forwarded, replied, etc) data. Building an abstraction facade on top of that to ease transition to a new format, though technically possible, is definitely infeasible: both your storage requirements and computation requirements are going to increase linearly with each reuse of existing data (meaning it would grow exponentially with the number of shares, assuming the worst case, that everyone re-shares it).
All the stuff you said was out of scope is part of identity.
Public key fingerprints probably aren't a solution that users are ready for either. There's an analogy with PGP. It works, but good luck getting people to use it under normal circumstances.
"We need a good solution to identity. Right now most web services use 'has control of an email account,' while some others — to include email services — use 'has control of a phone number.'"
I nominate Oh By Codes[1], for obvious and selfish reasons.
We are currently working very simple, human (and machine) readable markup tags that you can put into your own, personal Oh By Code, which can then be used as your comprehensive contact token - and possibly for identity.
I just ordered a small stack of business cards that have nothing on them but:
0 x JOHN
and I will populate that, my personal code[2], with things like <pgppubkey></pgppubkey> and <phone></phone> and <email></email>. Then, instead of a cluttered up business card (or annoying, long interactions over the phone trying to spell out my email address, etc.) I can just direct interested parties to my Oh By Code which will contain whatever it is that they need.
Since the usable bits are in tags, you could do things like log into services, or address email, or dial a phone not with the phone number, but with the Oh By Code.
Yes, I am well aware of the enormous, almost insurmountable chicken and egg problem of Oh By Codes not being useful until everyone knows what they are.
> Yes, I am well aware of the enormous, almost insurmountable chicken and egg problem of Oh By Codes not being useful until everyone knows what they are.
I fail to see how what an "oh by" code achieves that cannot be achieved by an URL, save for the subjective beauty of the format looking like 0xffffff.
Plus, if this became a thing, everybody would have to put their total trust in "PERFECT PRIVACY, LLC" or "Oh By, Inc.", which seems a step backwards from the distributed nature of DNS.
Would you mind expanding a bit and explaining how this system can be used to log into services? That doesn't seem to be so obvious.
"I fail to see how what an "oh by" code achieves that cannot be achieved by an URL, save for the subjective beauty of the format looking like 0xffffff."
You're correct. Sadly, in 2016, it appears that most people aren't creating and maintaining their own web pages. I wish this weren't the case, but it is.
What's nice about an Oh By Code, other than being a lightweight (throwaway ?) website that you can (optionally) create for free is that you can communicate the "URL" in real life. You don't need a computer to pass on an Oh By Code. You can chalk it on the sidewalk or write it on a post-it note in a way that is difficult with URLs or other schemas (like email addresses).
In fact, it's even shorter and quicker than a phone number.
"Plus, if this became a thing, everybody would have to put their total trust in "PERFECT PRIVACY, LLC""
That's true. I'd say we have as good a track record as anyone. It's worth mentioning that the rsync.net warrant canary, which was the first warrant canary, turned ten this year.
"Would you mind expanding a bit and explaining how this system can be used to log into services? That doesn't seem to be so obvious."
I'm not sure. We're brainstorming ways in which it makes sense to give people an Oh By Code instead of giving people a phone number and this seemed to relate to this discussion. As I said, my new business card will have nothing on it except 0xJOHN.
A phone number is presumed to have some level of identity proofing behind it (i.e. control over the phone number means you have a credit card, bank account, photo id, etc.).
As the article points out, this turns out to be rather easy to spoof.
How do "oh by" codes solve this issue? What if I print up a bunch of business cards with 0xJOHN?
> Perhaps some sort of social identity is possible?
That won't work for people with no friends.
> We need a good solution to identity.
Perhaps an offline device, that uses your retina scan, fingerprint(s), and DNA encoding to — I don't know the correct cryptography jargon to describe all this — construct a temporary key, which you use with online service to create a username.
Then, whenever you need to log in to that service, you use the scanning device again to generate another temporary key, and use that a password.
That way, your physical attributes are your identity, but they are never stored or transmitted in a form that can be translated back to its inputs. You could also set a secret word on the device itself so your memory is also part of your identity, as is the norm now.
This system is of course still vulnerable to brute* force [1] but to mitigate that, the scanning device might allow you to set a fake "panic" password, which would generate an incorrect key, and maybe alert authorities.
We need a good solution to identity. Right now most web services use 'has control of an email account,' while some others — to include email services — use 'has control of a phone number.'
I don't trust governments in general, so 'is vouched for by a state' doesn't really work either, although for many institutions (e.g. banks) that's probably good enough (if a government wishes to confiscate one's funds, it will do that, rather than create a fake driver's license and hand it to someone to clean one's accounts out).
Perhaps some sort of social identity is possible? 'Charles is vouched for by Alice, Bob, Dave and Frank' might work, although there's the issue that someone has to vouch for each of Alice, Bob, Dave and Frank — there's a Sybil attack where someone, or a group of real people operating together, could create false identities.
For my own accounts though, if I nominate two persons I work with, four persons I go to church with, four more in my family and three friends then I'd feel pretty good if nine of those were allowed to vouch for my email. I think.