We built Key because all Internet users face two big problems.
- We transmit sensitive information like passwords, credit card numbers, and social security numbers to verify our identities, putting ourselves at risk of theft and impersonation.
- We don’t have direct control over who can access our data. Instead, we rely on frequently-changing privacy policies and terms of service to protect our safety and privacy.
Public-key cryptography offers a solution to both of these problems. Our browsers use public-key crypto every time we go to a site that uses https, and apps like Signal are making tremendous progress toward offering highly-secure and usable messaging. However, no one has offered a way for more developers to implement usable cryptography for consumers. In general, crypto has always imposed a usability penalty: users have to manually manage and verify keys, and their experience is often inconsistent and unreliable.
So why do we need usable cryptography? We still transmit sensitive data to authenticate, and nearly all of our emails, files, social media posts and messages are sent in insecure plain text. Key aims to make it easier for more developers to implement usable cryptography, with the goal of solving these two huge problems.
We’ve extended recent academic research[2] to develop a decentralized model for public-key verification and key management. Key’s approach makes end users and developers safer and more autonomous — you don’t have to trust our servers, or share any sensitive data, to implement Key. No user has to sign up for a Key account.
Instead, key management and verification are built around a decentralized provider model, where providers are untrusted, but offer proofs of the consistency of username-public key bindings. Anyone can run an instance of Key to provide public key management and verification, and we’re built to integrate with both new and existing products, making users safer without compromising on their experience. We don’t require the end-user to do any “work” — like manually verifying a public key — or blindly trust in a centralized public-key infrastructure. In fact, users don’t even have to be aware that their apps are using cryptography.
We envision a future in which we verify our identities, to our websites, to our institutions, and to each other, by exchanging public, non-sensitive data. We also want to enable much more of the content that we share with other people to be encrypted — and thus controlled by us, the users.
Password-less logins and contact-less payments already exist in some forms, but with Key, these interactions will become more secure, easier to implement, and more ubiquitous. This is only the beginning. We want to use encryption, signatures, and transparency logs in innovative ways, and we’re certain that there are radical possibilities that remain unthought. The future demands that cryptography play a bigger part in our lives, but first, it needs to become usable for both the developer and the end-user.
We want to accelerate the pace of crypto adoption by embracing decentralization both as a technical model and a social ethos. Key was built on principles of inclusion, transparency, and cooperation. We don’t want to become a centralized, monolithic service that controls everyone’s public keys. Rather, we want to work with a diverse group of contributors and other organizations to imagine and build a version of the Internet that is safer and more free.
We’ll be releasing more information and open-source code over the next few weeks and months. We’ll also be using this Medium channel to elaborate on why we built Key, and on the significance of crypto to the future of the Internet and society at large. Visit us at key.cx to sign up for our free, limited private beta, beginning later this month. If you have any questions or comments about Key, please get in touch at contact@key.cx. And follow us on Twitter!
- Photo by Loren Fulton: Pearl Bay, Vermont — not far from where Key was born.
- Key builds on the following projects, and we’re indebted to their creators.
Certificate Transparency: https://www.certificate-transparency.org/
CONIKS: https://eprint.iacr.org/2014/1004.pdf
Enhanced Certificate Transparency: https://eprint.iacr.org/2013/595.pdf
NaCl: https://nacl.cr.yp.to/
