Evaluate CONIKS as an authenticator
|Reported by:||arlolra||Owned by:||huyvq|
CONIKS is a practical key management system in which identity providers maintain directories of public keys on behalf of users of end-to-end secure communication systems. Our main motivation for designing CONIKS was to address the drawbacks of current trust establishment methods: (1) users either have to "manually" verify each other's keys, which has been shown to be cumbersome and error-prone for the vast majority of users, or (2) their secure messaging provider manages their keys on their behalf but these keys are not protected against tampering by a malicious provider, or compromise/coercion by malicious outsiders.
CONIKS makes it easier for users (both "default" users and stricter security-conscious users) to establish trust since they don't have to worry about or even see keys, but they also don't have to trust the identity provider to not insert spurious keys into its key directory because the key directories are maintained in tamper-evident and publicly auditable data structures (similar to a Certificate Transparency log). CONIKS includes automatic key verification, directory audit, and key change and revocation protocols which a CONIKS-enabled messaging client runs in the background, and which are efficient enough to be run on today's mobile devices. Information in the key directories is also stored in a privacy-preserving manner to prevent enumeration of users or keys during the directory audits.