back to article Google floats prototype Key Transparency to tackle secure swap woes

Google has released an open-source technology dubbed Key Transparency, which is designed to offer an interoperable directory of public encryption keys. Key Transparency offers a generic, secure way to discover public keys. The technology is built to scale up to internet size while providing a way to establish secure …

Silver badge
Coat

I thought the tune was...

♪ I've got a brand new pair of roller skates, You've got a brand new key.♪

It's Friday, I'm outta here...

2
0
Silver badge
Devil

Re: I thought the tune was...

Not just Friday, but Friday the 13th!

0
0

Yahoo?

I trust their security team's only involvement was to make the tea

0
0

Re: Yahoo?

That is totally not fair on the yahoo security team.

They're highly paid professional security researchers and have contributed much to the security state of the art.

Bearing in mind that much of that has been in the form of an object lesson...

They can certainly do biscuits as well, surely?

5
0
Silver badge

Re: Yahoo?

They can certainly do biscuits as well, surely?

Only if they get someone else to fetch them from the shop.

0
0
Big Brother

One more method of identifying individuals and gathering their info under one index.

5
0
Big Brother

paranoid...not too much!

Agreed. The point of gpg is that you can generate your own keys for different purposes.

Some identified (work, bank, medical records!)

some semi-anonymous (el reg, facebook...)

some anonymous (my holiday snap, other *private* media).

Identity != Intent.

We need to keep educating the "others" about this...

P.

0
0
Silver badge

Re: paranoid...not too much!

No, what we need to do is find a way to do things on the average person's level. That is, bad memories, often without second factors, and looking for turnkey solutions that involve little more than "click here once or twice". We have to make security no more difficult than finding and using the front door key. Otherwise, people won't bother, as experience demonstrates.

2
0
Gold badge

Explanation?

I can't find, either in the article or any of the links, an explanation of how it works. Is it just too clever?

1
0

Re: Explanation?

The blog post links to https://github.com/google/key-transparency/

0
0
Silver badge

Re: Explanation?

Google says it is a work-in-progress (and they want input and feedback from the community). However, Google say it is inspired by CONIKS, and provide a link to this PDF which contains diagrams, graphs and maths:

https://eprint.iacr.org/2014/1004.pdf

0
0
Anonymous Coward

Fuck this.

The best way to secure your comms is to have an old klingon speaking pissed up Cornish geezer at both ends and communicate through them.

Id love to see "bad actors" intercept that.

0
0
Silver badge

Re: Fuck this.

Simple. Use a THIRD Klingon-speaking pissed-up Cornish geezer.

0
0
Silver badge

Is this what we really need?

I would have said we need something different:

1. Personal Certificate Authorities

2. Per-contact keys/certificates.

3. Simple distribution (email headers?)

4. Simple key acquisition (mail clients, social media?)

5. Simple point of presence servers, linked to addressbooks, address-book groups.

Do we mainly need foolproof encryption or do we need enough security to make scams, phishing etc mostly unprofitable? Do we need a way to easily recognise friends when they connect to our web servers. Even if their systems are compromised, it shouldn't compromise everyone else I know, because I've given them all their own certificates for connecting to my systems, so I can run my own "facebook-wall" which they can reference on their "facebook-wall" but which stays firmly under my control, on my servers.

0
0
Anonymous Coward

Re: Is this what we really need?

"Do we mainly need foolproof encryption or do we need enough security to make scams, phishing etc mostly unprofitable?"

Yes, you need BOTH. Without foolproof encryption, no one will be inclined to use it, or a better fool will find a way to make things miserable for all of us. And without some way to assure identity, scams and such will ALWAYS be prevalent, since they all depend on anonymity (or at least pseudonymity) to operate. And since the return for just a few hits makes whole campaigns profitable, you can't defeat the money angle without collateral damage.

"Do we need a way to easily recognise friends when they connect to our web servers."

Yes, otherwise Mallory or Gene can POSE as your friends.

"Even if their systems are compromised, it shouldn't compromise everyone else I know, because I've given them all their own certificates for connecting to my systems, so I can run my own "facebook-wall" which they can reference on their "facebook-wall" but which stays firmly under my control, on my servers."

Governments have shown the patience needed to reconstruct trails. They'll take over one identity, use it to get to another, and so on.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018