[messaging] One CONIKS or many?

Watson Ladd watsonbladd at gmail.com
Thu Mar 24 20:51:52 PDT 2016

On Thu, Mar 24, 2016 at 8:32 PM, Marcela Melara <melara at cs.princeton.edu> wrote:
> I would add a couple of things to Joe’s explanation as to why having a
> single CONIKS service for many is probably disadvantageous.
> One is that CONIKS is designed in such a way that it provides stronger
> security when there are more participants — in particular auditors — in the
> system. Though CONIKS key servers don’t necessarily need to act as auditors
> in practice, our original thinking was that the system would be less complex
> (i.e. require fewer parties in addition to the key servers) by having the
> key servers act as auditors as a way to cross-verify each other. So by
> having the auditing code for everything in one place, you’ve essentially
> reduced the number of auditors to one (at least for all of the messaging
> services relying on the one CONIKS service), which weakens the overall
> security of the users of the one CONIKS service.

So if we have an instance for Punr and another for Swiftery each
storing keys for one of them, they will audit each other? It seems
that auditing a single service is more likely to happen/we can't rely
on servers being independent when centralized messaging providers have
to run them.


More information about the Messaging mailing list