Taher Elgamal, the Father of SSL, on why passwords must be eliminated
We need to get rid of passwords, that's not blue sky.
Any threats, any breaches, anything that happened in the entire world in terms of security issues, 99% of them were because of a password problem. So this is actually the number one security issue in the digital world today by far.
So the idea of self assigning a set of keys for each user to choose a bunch of keys and build their own certificate, so I can sign things and send them to you, is actually novel. We've always built certificates based on somebody, a trusted third-party issuing certificates always, because I couldn't do a certificate for myself and claim to be Bank of America and show it to. How do you know if I'm Bank of America or not? So the trusted third-party was actually very important in terms of authenticating the entity, the server side.
We thought we had to do that with the client side and the nature of this new idea is that we actually don't. The only thing you need to do is to register the key with the backend that you care about and then when you continuously use the same key you know that this is the same entity.
So the idea of the self-signed certificate on the user side, so that the user gets to decide which devices they own and they control their own keys and their own identities and their own data is kind of awesome.
Now we're in a privacy driven world now there's so many privacy things. So anything that is user driven is gonna be looked at very favorably. So the fact that we can enable each user to be their own certificate authority and in the language we use and issue their own keys, register the keys they want with whoever they want to register with, you've done the initial step and then you can prove yourself ongoing by just showing showing the key—not showing the key itself but showing the effect of the key, which SSL does actually.
Like Albert Einstein used to say, "When you arrive at the simplest way to solve a problem, you know you got something."