Saturday, January 07, 2012

Sovereign Keys

I'm starting to look into Sovereign Keys, covered in more detail in [1] and [2].


That the current PKI system is brittle is accepted by many people.  Brainstorming and prototyping new internet service authentication approaches is first-order important, and Sovereign Keys is worthy of further investigation and support.


Seems like Sovereign Keys does introduce a few new concepts that need security analysis; the timeline servers offer an interesting capability, I wonder about vulnerabilities.  For that matter, I wonder about patents in this space.   There is a minefield of granted timestamping patents and while the timeline servers may not specifically address timestamping, I wonder of some of those patents were written generally enough to impact Sovereign Keys.


Note that a proposal from Adam Langley and Ben Laurie of Google [3] also introduces the notion of a public append-only log, in some ways similar to timeline servers, but not domain-specific.

[1] https://www.eff.org/deeplinks/2011/11/sovereign-keys-proposal-make-https-and-email-more-secure 
[2] https://git.eff.org/?p=sovereign-keys.git;a=blob;f=sovereign-key-design.txt;hb=HEAD
[3] https://threatpost.com/en_us/blogs/google-researchers-propose-new-plan-shore-ca-system-112911


No comments: