[Freedombox-discuss] Identity management
Howdy,
I looked at MonkeySpheres and PGP (and GPG) and I have a philosophical
question about "Box identity" and "User identity". The details of GPG and
PGP are the use of large primes which are not humanly possible to
remember. This forces the use of some disk storage for secret keys.
One of the main arguments for using elliptic curve crypto is that any key
can be used. Usually it is a hash of a pass phrase (and one can go nuts
dealing with pass phrase security too, but let's not go there for now).
The fundamental philosophy is that the User identity is never stored
except in the user's head. This is very different than the way GPG and
PGP are set up.
My personal feeling is that it is far safer to not have any tie between
the person and digital media. A person's secret key can be derived every
time they need it, on any device using a simple hash function. This
allows multiple identities very easily (so long as the person remembers
the pass phrase for each identity). This makes the secret key ephemeral
as far as hardware goes, which makes the system safer from post mortem
attacks.
The other problem I've had with PGP and GPG in the past is that it
requires the user to understand what the security system is doing. I'd
rather see an "invisible" security system. It might be more complicated
internally, but from the users perspective the security system should just
work, or it should just fail.
I think this fits in with the philosophy of the Freedombox - anybody
should just plug it in and go. As a blue print I don't mind starting with
Monkeysphere - but in the long run I think it requires the user to know
too much.
I've only just started looking into this, so if I'm way off base for what
the goals are please set me straight.
Patience, persistence, truth,
Dr. mike
Reply to: