Steve Magennis

Founder, Polywug

Honey, do you know where I put my (cryptographic) Keys?

May 23, 2020

Most people maintain a handful of digital identities anchored in commercially recognizable email addresses (Gmail, Hotmail, Comcast, etc.). For each identity people may have ten’s or even hundreds of passwords that distinguish their usage. For example, a person following best practices may use me@gmail.com to identify themselves to their bank, their utility company, online retailers, etc, but have a unique password for each online account. Federated logins use a single user ID and password anchored with Google, LinkedIn or Facebook to access a wide range of internet sites. Federation makes the problem of managing IDs and passwords much smaller, but at the cost of opening up your ID and online activity to large organizations to manage.

We are seeing a global emergence of a group of technologies and standards that support something called Self Sovereign Identity (SSI) and Verifiable Credentials (VC). SSI and VC’s together increases trust at a distance, discourages fraud, enhances security and control of personal information, makes it easier to engage online and shifts the power balance a little bit towards the individual, away from organizations that deal in monetizing identity at large scale. All participants have a lot to gain with this change but it does come at the cost of issuing lots and lots of cryptographic keys, potentially thousands or ten’s of thousands of keys per person.

While the issuance of keys is trivial for today’s computational hardware, managing them is a challenging human issue. Think for a moment about normal things we interact with every day: busses, credit cards, computers, mugs. Without even thinking about it, we categorize and classify each of these in order to use them effectively and in the way we want to use them. The bus route and buss fare from work is different from the bus route to the museum on the weekend. Do I use a credit card with better points or lower interest to buy lunch, or to go shopping for clothes? Even the selection of a mug may depend on whether it will be used for coffee or coco, weekday or weekend mornings. We’re pretty good at mentally managing small numbers of things, we do it day in and day out. Now imagine you have five or ten thousand of anything to manage. Surprisingly very few things come to mind; words perhaps, memories, strands of hair on your head. Each of these are numerous and complex in their own right and are in turn supported by complex processes that evolve over a long period of time. Hair in this example may seem like an outlier, but really it illustrates an important vector for managing large numbers of things. I’m a towel dry and comb it in place kind of person. Others engage in what could not unreasonably be considered a deeply personal ritual in the maintenance their hair and one that continues to evolve over their entire life over. Still others fall somewhere in between. Effectively managing large numbers of things is not just a matter of cataloging stuff, it is a personal thing whose value is realized when it appropriately serves the needs of the individual at the time of need.

Learning to manage large numbers of cryptographic keys and other sensitive identity information using current tools is an effort whose size and difficulty is on the scale of learning a new language. The task at an individual level would be challenging and time-consuming to say the least, even if mature curriculum and training were available; which it is not. To make managing large numbers of keys practical and widespread without resorting to lengthy training and building brand new skill sets, tools to empower the individual are necessary.

At its most basic level, a tool will need to quickly produce a specific key from among thousands of stored keys. Additionally, it should be responsible for a host of other activities to support the user with issues of proper security, safety, maintenance and usability; acting as an agent working in partnership with a user whose needs are expected to evolve over time. The tool will need to have an effective organizational structure but one that can both change over time and adapt to new and unanticipated demand. Some learning of course will be required, but user centered design will be of utmost importance to limit the amount of effort required to internalize the new paradigms for key management.

Leave a Comment

Your email address will not be published. Required fields are marked *