I thought the tune was...
♪ I've got a brand new pair of roller skates, You've got a brand new key.♪
It's Friday, I'm outta here...
Google has released an open-source technology dubbed Key Transparency, which is designed to offer an interoperable directory of public encryption keys. Key Transparency offers a generic, secure way to discover public keys. The technology is built to scale up to internet size while providing a way to establish secure …
That is totally not fair on the yahoo security team.
They're highly paid professional security researchers and have contributed much to the security state of the art.
Bearing in mind that much of that has been in the form of an object lesson...
They can certainly do biscuits as well, surely?
Agreed. The point of gpg is that you can generate your own keys for different purposes.
Some identified (work, bank, medical records!)
some semi-anonymous (el reg, facebook...)
some anonymous (my holiday snap, other *private* media).
Identity != Intent.
We need to keep educating the "others" about this...
P.
No, what we need to do is find a way to do things on the average person's level. That is, bad memories, often without second factors, and looking for turnkey solutions that involve little more than "click here once or twice". We have to make security no more difficult than finding and using the front door key. Otherwise, people won't bother, as experience demonstrates.
I would have said we need something different:
1. Personal Certificate Authorities
2. Per-contact keys/certificates.
3. Simple distribution (email headers?)
4. Simple key acquisition (mail clients, social media?)
5. Simple point of presence servers, linked to addressbooks, address-book groups.
Do we mainly need foolproof encryption or do we need enough security to make scams, phishing etc mostly unprofitable? Do we need a way to easily recognise friends when they connect to our web servers. Even if their systems are compromised, it shouldn't compromise everyone else I know, because I've given them all their own certificates for connecting to my systems, so I can run my own "facebook-wall" which they can reference on their "facebook-wall" but which stays firmly under my control, on my servers.
"Do we mainly need foolproof encryption or do we need enough security to make scams, phishing etc mostly unprofitable?"
Yes, you need BOTH. Without foolproof encryption, no one will be inclined to use it, or a better fool will find a way to make things miserable for all of us. And without some way to assure identity, scams and such will ALWAYS be prevalent, since they all depend on anonymity (or at least pseudonymity) to operate. And since the return for just a few hits makes whole campaigns profitable, you can't defeat the money angle without collateral damage.
"Do we need a way to easily recognise friends when they connect to our web servers."
Yes, otherwise Mallory or Gene can POSE as your friends.
"Even if their systems are compromised, it shouldn't compromise everyone else I know, because I've given them all their own certificates for connecting to my systems, so I can run my own "facebook-wall" which they can reference on their "facebook-wall" but which stays firmly under my control, on my servers."
Governments have shown the patience needed to reconstruct trails. They'll take over one identity, use it to get to another, and so on.