back to article Google floats prototype Key Transparency to tackle secure swap woes

Google has released an open-source technology dubbed Key Transparency, which is designed to offer an interoperable directory of public encryption keys. Key Transparency offers a generic, secure way to discover public keys. The technology is built to scale up to internet size while providing a way to establish secure …

  1. Herby Silver badge
    Coat

    I thought the tune was...

    ♪ I've got a brand new pair of roller skates, You've got a brand new key.♪

    It's Friday, I'm outta here...

    1. Ian Michael Gumby Silver badge
      Devil

      Re: I thought the tune was...

      Not just Friday, but Friday the 13th!

  2. fnusnu

    Yahoo?

    I trust their security team's only involvement was to make the tea

    1. David Dawson

      Re: Yahoo?

      That is totally not fair on the yahoo security team.

      They're highly paid professional security researchers and have contributed much to the security state of the art.

      Bearing in mind that much of that has been in the form of an object lesson...

      They can certainly do biscuits as well, surely?

      1. Anonymous Coward
        Anonymous Coward

        Re: Yahoo?

        They can certainly do biscuits as well, surely?

        Only if they get someone else to fetch them from the shop.

  3. NoneSuch
    Big Brother

    One more method of identifying individuals and gathering their info under one index.

    1. phil dude
      Big Brother

      paranoid...not too much!

      Agreed. The point of gpg is that you can generate your own keys for different purposes.

      Some identified (work, bank, medical records!)

      some semi-anonymous (el reg, facebook...)

      some anonymous (my holiday snap, other *private* media).

      Identity != Intent.

      We need to keep educating the "others" about this...

      P.

      1. Charles 9 Silver badge

        Re: paranoid...not too much!

        No, what we need to do is find a way to do things on the average person's level. That is, bad memories, often without second factors, and looking for turnkey solutions that involve little more than "click here once or twice". We have to make security no more difficult than finding and using the front door key. Otherwise, people won't bother, as experience demonstrates.

  4. Ken Hagan Gold badge

    Explanation?

    I can't find, either in the article or any of the links, an explanation of how it works. Is it just too clever?

    1. FelixReg

      Re: Explanation?

      The blog post links to https://github.com/google/key-transparency/

    2. Dave 126 Silver badge

      Re: Explanation?

      Google says it is a work-in-progress (and they want input and feedback from the community). However, Google say it is inspired by CONIKS, and provide a link to this PDF which contains diagrams, graphs and maths:

      https://eprint.iacr.org/2014/1004.pdf

  5. Anonymous Coward
    Anonymous Coward

    Fuck this.

    The best way to secure your comms is to have an old klingon speaking pissed up Cornish geezer at both ends and communicate through them.

    Id love to see "bad actors" intercept that.

    1. Charles 9 Silver badge

      Re: Fuck this.

      Simple. Use a THIRD Klingon-speaking pissed-up Cornish geezer.

  6. P. Lee Silver badge

    Is this what we really need?

    I would have said we need something different:

    1. Personal Certificate Authorities

    2. Per-contact keys/certificates.

    3. Simple distribution (email headers?)

    4. Simple key acquisition (mail clients, social media?)

    5. Simple point of presence servers, linked to addressbooks, address-book groups.

    Do we mainly need foolproof encryption or do we need enough security to make scams, phishing etc mostly unprofitable? Do we need a way to easily recognise friends when they connect to our web servers. Even if their systems are compromised, it shouldn't compromise everyone else I know, because I've given them all their own certificates for connecting to my systems, so I can run my own "facebook-wall" which they can reference on their "facebook-wall" but which stays firmly under my control, on my servers.

    1. Anonymous Coward
      Anonymous Coward

      Re: Is this what we really need?

      "Do we mainly need foolproof encryption or do we need enough security to make scams, phishing etc mostly unprofitable?"

      Yes, you need BOTH. Without foolproof encryption, no one will be inclined to use it, or a better fool will find a way to make things miserable for all of us. And without some way to assure identity, scams and such will ALWAYS be prevalent, since they all depend on anonymity (or at least pseudonymity) to operate. And since the return for just a few hits makes whole campaigns profitable, you can't defeat the money angle without collateral damage.

      "Do we need a way to easily recognise friends when they connect to our web servers."

      Yes, otherwise Mallory or Gene can POSE as your friends.

      "Even if their systems are compromised, it shouldn't compromise everyone else I know, because I've given them all their own certificates for connecting to my systems, so I can run my own "facebook-wall" which they can reference on their "facebook-wall" but which stays firmly under my control, on my servers."

      Governments have shown the patience needed to reconstruct trails. They'll take over one identity, use it to get to another, and so on.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019