I want to preface this response saying I full agree with this, I want something like this to happen, I am responding because of some concerns I have. The real major one: How do you verify the authentication part of the data security chain?
A PGP key alone does not authentically validate that you are who you say you are. When the source is the untrusted party, it doesn’t accomplish the site’s goal. It’s the equivalent to me handing you a piece of paper saying “I’m John Smith and this is what I use to say I’m this” which works amazing for trusted exchanges, but when the source is “just trust me bro” it doesn’t solve anything for the website owner.
Websites get around this by having trust certificates/root servers that are co-signed with the PGP key. However, we lack any system like that for personal identities. Arguably, setting up such a system would isolate most of the known internet, as it is a significant roadblock, much like how SSL certificate usage was a huge roadblock for sites before Let’s Encrypt became a thing.
This setup would be amazing for logging into sites. However, it fails to accomplish what the websites that are asking for PII are looking for, which is verification that their user is who they say they are, and not a random third party.
To reliably use this setup, we would need something similar to Let’s Encrypt, but for user identification. The issue with that is it would become the de-facto attack vector (for both law enforcement and criminal parties), and that site would need to require PII to address the biggest concern on these sites, which is that you are who you say you are, and not Jo Smo or a bot looking to harvest data. Additionally, as mentioned earlier, a massive retraining of the internet would need to be done, which would mostly affect non-tech folk.
I am hopeful that an easy function that won’t violate users privacy comes out, but I don’t think the two topics are compatible sadly
The solution here is distributed trust by proxy. You start with a single exchange between two trusted peers, and build from there. As long as every individual link within the network is trusted, then any route between two disconnected endpoints can be trusted as well. As the network grows there is a very high statistical likelihood that there will exist many individual trust graphs between two nodes, which provides redundant validation.
I have always thought this would make a cool chat app. You enter the network by scanning someone’s QR code to become their validated peer, and then you can theoretically communicate with anyone else on the network by exchanging keys via trust graphs. You could then build a social network on top of it which shows you how many hops it takes you to get to some celebrity or some shit.
tox did something similar with this outcome, but it never took off. Basically with tox each account is actually stored locally, much like how Skype did when it was p2p, but the difference is your account is actually on your device, as in if you lost your “key” you lost your account, when you connected with others, you gave your friends your TOXID which was essentially your public key signature with some added information regarding what you wanted for privacy added to it, and then your messages were relayed through a p2p DHS network. Every communication was encrypted e2e. With tox anyone could create an account with any information, but only people you added were able to message you, and visa versa. The only time you were ever publicly disclosed was during adding contacts to people you didn’t already have, which helped minimize botting on it as bots wouldn’t be able to message you without your ID. The issue with that method was, both parties had to be online to message each other, there was no central server to manage identity and handle users, so every connection was considered trusted since you had to manually add the person via their tox ID.
I expect this solution /could/ be moved into a centralized system for all user accounts, since the only way to add people was manually adding their private key, but I would expect that on large scale, the lack of ability to actually stop problematic users might dissuade platforms from wanting to implement it, since account creation was as easy as just clicking “create account” and no accounts were ever verified server side, which in order to do, brings back to the issue topic: Privacy vs Security
How do they currently solve this problem for passwords?
You could just have the register/create account button lead to a pubkey upload instead of a ‘set password’, no?
This problem isn’t addressing password authentication, its the website knowing who you are and that you are legitimate. Websites that collect things such as phone numbers during account creation don’t collect your PII as part of your password procedure. They collect it as a verification that you are an actual being and not a fake account/bot. The ease of being able to go through a forgot password thing is just a positive side effect.
This solution would work amazingly for logging in, there’s no argument for that, but it doesn’t address the elephant in the room: That the website wants to make sure you are a person/legitimate account and not a fake alias or a bot to scrape info, and when you are the only one providing that information that claim can’t be verified.
I want to preface this response saying I full agree with this, I want something like this to happen, I am responding because of some concerns I have. The real major one: How do you verify the authentication part of the data security chain?
A PGP key alone does not authentically validate that you are who you say you are. When the source is the untrusted party, it doesn’t accomplish the site’s goal. It’s the equivalent to me handing you a piece of paper saying “I’m John Smith and this is what I use to say I’m this” which works amazing for trusted exchanges, but when the source is “just trust me bro” it doesn’t solve anything for the website owner.
Websites get around this by having trust certificates/root servers that are co-signed with the PGP key. However, we lack any system like that for personal identities. Arguably, setting up such a system would isolate most of the known internet, as it is a significant roadblock, much like how SSL certificate usage was a huge roadblock for sites before Let’s Encrypt became a thing.
This setup would be amazing for logging into sites. However, it fails to accomplish what the websites that are asking for PII are looking for, which is verification that their user is who they say they are, and not a random third party.
To reliably use this setup, we would need something similar to Let’s Encrypt, but for user identification. The issue with that is it would become the de-facto attack vector (for both law enforcement and criminal parties), and that site would need to require PII to address the biggest concern on these sites, which is that you are who you say you are, and not Jo Smo or a bot looking to harvest data. Additionally, as mentioned earlier, a massive retraining of the internet would need to be done, which would mostly affect non-tech folk.
I am hopeful that an easy function that won’t violate users privacy comes out, but I don’t think the two topics are compatible sadly
The solution here is distributed trust by proxy. You start with a single exchange between two trusted peers, and build from there. As long as every individual link within the network is trusted, then any route between two disconnected endpoints can be trusted as well. As the network grows there is a very high statistical likelihood that there will exist many individual trust graphs between two nodes, which provides redundant validation.
I have always thought this would make a cool chat app. You enter the network by scanning someone’s QR code to become their validated peer, and then you can theoretically communicate with anyone else on the network by exchanging keys via trust graphs. You could then build a social network on top of it which shows you how many hops it takes you to get to some celebrity or some shit.
tox did something similar with this outcome, but it never took off. Basically with tox each account is actually stored locally, much like how Skype did when it was p2p, but the difference is your account is actually on your device, as in if you lost your “key” you lost your account, when you connected with others, you gave your friends your TOXID which was essentially your public key signature with some added information regarding what you wanted for privacy added to it, and then your messages were relayed through a p2p DHS network. Every communication was encrypted e2e. With tox anyone could create an account with any information, but only people you added were able to message you, and visa versa. The only time you were ever publicly disclosed was during adding contacts to people you didn’t already have, which helped minimize botting on it as bots wouldn’t be able to message you without your ID. The issue with that method was, both parties had to be online to message each other, there was no central server to manage identity and handle users, so every connection was considered trusted since you had to manually add the person via their tox ID.
I expect this solution /could/ be moved into a centralized system for all user accounts, since the only way to add people was manually adding their private key, but I would expect that on large scale, the lack of ability to actually stop problematic users might dissuade platforms from wanting to implement it, since account creation was as easy as just clicking “create account” and no accounts were ever verified server side, which in order to do, brings back to the issue topic: Privacy vs Security
Like this?
https://en.wikipedia.org/wiki/Secure_Scuttlebutt
How do they currently solve this problem for passwords? You could just have the register/create account button lead to a pubkey upload instead of a ‘set password’, no?
This problem isn’t addressing password authentication, its the website knowing who you are and that you are legitimate. Websites that collect things such as phone numbers during account creation don’t collect your PII as part of your password procedure. They collect it as a verification that you are an actual being and not a fake account/bot. The ease of being able to go through a forgot password thing is just a positive side effect.
This solution would work amazingly for logging in, there’s no argument for that, but it doesn’t address the elephant in the room: That the website wants to make sure you are a person/legitimate account and not a fake alias or a bot to scrape info, and when you are the only one providing that information that claim can’t be verified.