The Keys to the Keys

Craig Burton has penned another crystalline piece called How to Spot an Unnecessary Identity Fail (after his previous piece, How to Divine the Bovine, this is starting to sound like a field guide to identisaurus). His key point: we’ve had asymmetric key cryptography for 30+ years and we are still storing usernames and passwords on servers where they can be ripped off.

What’s wrong with this picture?

In an IM session with him I pointed out that while moving entirely to asymmetric keys is a giant security win (because your private key is never stored on a server, at least not unencrypted), the problem has always been the usability of foisting private key management on the user (which is the only place it can truly be and still retain the full security advantages). Even Microsoft with their design for Information Cards (which are the closest we’ve ever come to full asymmetric key-based security infrastructure) never fully solved that problem.

Craig’s point is: that’s where the innovation needs to happen. Focus on that one fracture point and you can split the entire Internet security boulder.

And if you use password digests, or fancy split-key recovery protocols such as those Ben Laurie has been working on at Google, you end out not storing a secret anywhere except in a user’s head.

Keep that in mind as you start to watch personal clouds unfurling in the personal data ecosystem. They just might have enough rain (and thunder) to crack that boulder.


About Drummond Reed

Internet entrepreneur in identity, personal data, and governance frameworks
This entry was posted in Blogging, I-Cards, Information cards, Personal Cloud, Personal Data Ecosystem. Bookmark the permalink.

3 Responses to The Keys to the Keys

  1. Dave Kearns says:

    It’s not a fracture point, it’s the philosopher’s stone we’re looking for – and we’ll have as much success as the alchemists did.

  2. Jeff Schmidt says:

    As they say:

    A cipher is a device for converting a plaintext distribution problem
    into a key distribution problem.

    An ephemeral key-agreement protocol (e.g., Diffie-Hellman) is a device
    for converting a key distribution problem into an authentication problem.

    We’ve only succeeded in moving the problem around; real innovation is needed to solve the problem.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s