1. 2
  1.  

  2. 4

    I’m no crypto expert, but isn’t the crux of the issue step 2:

    Share your keys in some way

    To me as a newbie, that seems to be the fundamental problem of cryptography–how can we share keys in a way that is secure and ensures that only the entity we want gets the key.

    1. 2

      It’s unsolved. You can’t (yet?) just magic up some trust out of nowhere. Every solution relies on some trusted (or at least previously identified, untrusted, but verifiable) entity, or some previous trusted setup/communication. Then, cryptography can stretch that trust to many parties, many messages, whatever.

      1. 1

        Every solution relies on some trusted (or at least previously identified, untrusted, but verifiable) entity, or some previous trusted setup/communication.

        This is key. There are enough third party services which can serve as routes to verify public assets. Their lack of coordination is the opening upon which private networks can be built.

        1. 1

          That is unfortunately fragile. Security through obscurity. Maybe this strategy works for the masses just trying not to get caught up in dragnets/passive surveillance, but it’s critical that we don’t recommend these types of solutions to people who actually need protection from malicious governments/nation states.

      2. 2

        I’ve thought about that but I haven’t really come up with a perfect solution. Considering key sharing parties are not as convenient as using the internet so I wanted to use the internet to do it. At that point I think the best solution is hiding in the crowd, which means sharing your key on third party services. If you do that then in most cases you’re talking about using browser. The browser’s security, not to mention attackers who target our browsers can possibly be an issue but I’d rather assume that we can trust it for now so we can focus on getting your public key to another person.

        You’ve got a couple of options for the initial key share between participants who have no existing secure channels through other people:

        1. Directly messaging the person you want with your public key
        2. Posting your public key in a public forum.

        Option one leaves a record of you interacting with that specific person and it’s also susceptible to targeted interception and manipulation by the service. I believe the better option is two. Using steganography allows people to keep their public key sharing hidden. The size of a public key is under 200 bytes which considering the size of images being shared today is below the level of any stego detection techniques that I’ve found.

        As long as the images posted are expected to be unmodified by the time they hit everyone else’s screen you’ve just successfully shared your key. Most services aren’t looking and after bootstrapping the p2p key network on this most of the key sharing will happen between members of the group. There are some things I’ve omitted and some problems that I haven’t seen yet but it seems to be the path forward.