User-friendly PKI: not yet

Public-key infrastructure is great. When it works, you can be quite sure that you are communicating with whom you want to communicate, and you can even communicate securely if you wish. Alice and Clare can send each other mail, and Bob won’t be able to sneak in there and read it.

It’s supremely easy for Alice to create a private key, and publish her public key to a keyserver. “That’s it?” she thinks, with a leap of her heart. “Wow! It’s so easy!”

Let’s fast-forward a bit.

For a while, Alice and Clare have fun sending encrypted messages back and forth. They find a plug-in to send encrypted mail through their GMail accounts (FireGPG), and that’s useful for a while, although oops, the developer discontinues GMail support. But they can still use other clients, and they do so.

Things are hunky-dory for a while.

Then one day Alice upgrades her computer, and she forgets to migrate her private key over to the new box. She doesn’t have her passphrase at hand, of course, because she had her e-mail client save it for her; she had it on a sticky note so she only had to look it up once in a while.

“Oh, well,” thinks Alice. “I’ll just create a new public key.”

Oops. Is this user-friendly?

Now Alice has a PGP key sitting out there on a keyserver. She can’t use it because she doesn’t have the equivalent private key. She can’t revoke it because she didn’t think it was that important to create a revocation certificate at the time and save it. Someone told her to do that once. “Don’t save it in the cloud, but on a disk that would never lose its data and could never be compromised. Then lock it away in a safe in your basement. You did make sure your basement was a Faraday cage, didn’t you?”

PKI is such a useful, powerful tool. But… it’s still very easy to screw up and cause lasting damage, though. I guess it’s like a “Hole Hawg,” an apt comparison to other powerful technologies, as noted by Neal Stephenson.

There IS an option for Alice. She can create a new key, with a user ID like: “only use this key. That other one is bad,” and then get all her friends to sign the new key. There are other techniques, but that’s pretty much as close as she’s going to get.

Questions like this in security-related topics interest me: If it’s easier to use, will more people use it? And if it’s more widely used, will that increase its relevance?

Advertisements

2 Comments on “User-friendly PKI: not yet”

  1. Alice was foolish to create a key valid for all time!

    limiting key validity for 6 months is far less inane

    was not mentioning this essential feature or good security practice borne of similar ignorance?

    the same ignorance that prizes security while ignoring sacrosanct PRIVACY?? The kind of sheeple offering themselves upon the altar of Google, a slice at a time using “free” properties such as Gmail? The fourth amendment shores privacy.

    would you not speak against Google’s raping user privacy AS profit?

    never tolerate privacy as a commodity!!

    XMPP OTR, mpOTR & sasl scram, zRTP or sRTP… inconsistency is folly

    • fourstar says:

      Privacy is important, and Google’s practices may be bad — though the easy escape is just to blame Alice (or the post’s author, for that matter).

      The point I raise here is, “security versus usability.” Further, the case could be made that, without usability, we won’t have security. For example, I’ll write my password on a sticky note and stick it to my monitor if it’s too hard to remember.

      Many of us willingly give up our privacy to services that work hard to achieve high “usability.” I think those of us in the security space can learn from that.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s