
Nyms Identity Directory - escapologybb
http://nyms.io/
======
brl
Hi, I'm the author of this document and principal developer of the project.
This is a somewhat detailed design overview for a proposed alternative to the
PGP keyserver system that I'm building and I didn't really write it for a
general audience to avoid cluttering it up with too much background
information.

Sometime soon we're going to improve the website with a friendlier high-level
description of the goals of the project and the problems that it solves. For
now, I apologize that this rather dense document is the only information
available.

It might be easier to understand what I'm trying to achieve by reading a post
I made yesterday to the modern crypto mailing list which summarized the
important features of Nyms:

[https://moderncrypto.org/mail-
archive/messaging/2014/000602....](https://moderncrypto.org/mail-
archive/messaging/2014/000602.html)

------
HerrMonnezza
I do not see how Nyms protects against identity/email theft (which they list
as a concern with current OpenPGP keyservers).

According to the description of the "Remote Verification Protocol", I would be
able to associate my GPG key with any identity / email address, provided I can
reply to emails sent to that address (at least during the verification pass).

It's certainly an improvement (OpenPGP keyservers provide no verification
whatsoever), but it's not secure in any way and does not address the strong
anonymity concerns that are exposed in the intro...

------
diafygi
I feel like these type of PKI proposals don't really address the various
aspects of user adoption. How do you convince a user to use something like
this?

Most users have no concept of keys, much less private and public keys. So how
do you expect them to understand that they (1) need to generate a key pair,
(2) keep one of those keys private, (3) register the other key with your
service, (4) publish one of the keys on Twitter, (5) use a local email client
instead of Gmail or Yahoo, and (6) keep re-certifying with your service every
30 days?

It's much easier to just tell someone to install TextSecure and use that for
your one-off conversation, then go back to them using Gmail for everything
else. Like it or not, OpenPGP competes in the same space as everything else,
so if you want it to be adopted, you need to make it easier than the
competition.

A good example of this type of failure is OpenID. OpenID is a great standard
and allows for the user to have much greater control of their online profiles.
However, the extra steps involved with setting up an OpenID in the first place
means that it wasn't used by the vast majority of users.

~~~
brl
The user only needs to install a Nyms supporting email client or webmail
browser extension and they're good to go for transparent communication with
any other Nyms user.

Registration and maintenance of keys is entirely automated. Making everything
as easy as possible for users without compromising on strong guarantees about
key authenticity is the whole point of this project.

~~~
diafygi
Maintenance of private keys is automated?

~~~
brl
Maintenance of public keys is automated, by which I mean the user does not
need to do anything manually for them to be published and recertified before
they expire.

Private keys don't need maintenance after generation since they are simply
stored on the user's computer.

~~~
diafygi
So you can't read your email on another computer or phone?

~~~
brl
You can copy your private keys to another device obviously, and eventually
Nyms can help you do this by brokering an end-to-end encrypted tunnel between
devices to transfer keys securely.

------
peterwwillis
Feedback: I stopped reading halfway through the second paragraph, mainly
because it's hard to read such dense paragraphs, and also lacks a simple
summary at the first paragraph. The rest of it is one giant wall of text,
which would be difficult to read even if the paragraphs weren't so dense.
Author: can you please put a hyperlinked table of contents? And if you're
going to use centered specific-width paragraphs, please use 'align="justify"'
for easier reading. Thanks

------
edent
[https://nyms.io/](https://nyms.io/) <\-- _pfft_

Nothing user centric that I can see there. Hideously complex. How can a non-
geek get started with this?

------
walterbell
Is there code associated with this design?

~~~
brl
I'll be pushing some initial code to github soon for the first stage of the
project which is a locally running agent that provides encryption service to
email clients over a json-rpc interface. We're also building our own email
client, however the agent is designed to facilitate easy integration into any
other client.

------
michaelmior
tl;dr Since this doesn't hold a huge amount of interest for me, I passed on
reading the whole document. It would help to have a couple sentences up front
explaining what this is.

~~~
michaelmior
Not sure why this was downvoted, but something like this[1] posted by the
author was helpful.

[1] [https://moderncrypto.org/mail-
archive/messaging/2014/000602....](https://moderncrypto.org/mail-
archive/messaging/2014/000602.html)

