Google Introduces Public Key Account Verification Project
Google has started an open source project to verify the relationship between an account and a public key. The software was developed in collaboration with Open Whisper Systems, known for the Signal protocol for end-to-end encryption.
Key Transparency is a transparent directory for account data audits, according to Google. It must be possible to use it for a multitude of security applications where encryption and authentication are important, even by people who are not experts in this field. Google points to pgp, which would still be difficult to use twenty years after its creation.
The underlying problem would lie in finding keys, and in particular verifying that the public key actually belongs to the person to be reached. This problem also occurs with chat apps, sharing files and updating software, according to Google.
With Key Transparency, users should be able to see which public keys are associated with their account, while the sender should be able to see how long an account has been active, for example. The public directory must also provide insight into the times when accounts have been updated and who made those updates.
Ultimately, Google aims to make Key Transparency directories mutually interoperable and grow into a scalable ecosystem. Google is therefore not only working on the project, but is doing so together with Yahoo, the team behind the Coniks key management system and Open Whisper Systems, among others. The latter is known for the Signal protocol for end-to-end encryption, which is implemented in WhatsApp and the Signal app. Signal allows users to use QR codes to verify that they are communicating securely with the right person. Signal also ran into problems in trying to make this as intuitive as possible for users.