Further thoughts on this problem.
It appears that my different digital assets should be managed using different protection levels. Examples:
- I don’t want my family photos to be publicly accessible. But if a few are, or even if all of them are, that’s a much smaller problem than if the login information for all of my bank accounts were publicly accessible.
- Some of my digital assets are truly mine, and nobody should access them other than me (and perhaps my heirs after I can’t any more). Some really belong to several people, e.g. the family photos belong to everybody in the family, and everybody should be able to access them. Some belong to work, so there are overlapping sets of authorized users.
- Ideally, even rather complex cases should be supported. For example, only my wife should be able to access my health information at any time, but if she and I were in the same traffic accident, it would make sense that somebody else could, too.
- Some information can be reconstructed reasonably easily. E.g. I can get my bank to reset my website password. Others, not so much: e.g. the Mac’s hard drive is AES-128 encrypted. Losing the credential for it essentially means game over.
It also appears that some kind of “master password” approach is required. That master password, or credential, or whatever it turns out to be, needs to be extremely well protected, but then can unlock all the other credentials.
But it is tricky in itself: if the master credential was lost, it cannot be that everything becomes inaccessible. And giving other people copies of the master credential would be incompatible with the idea that I can use different protection levels.
If the master credential was a password, it could easily be forgotten. (Happens regularly to me.) If it was a hardware token or some other physical thing, it could easily be lost or stolen or break. And I’m not sure I want to introduce biometrics into the picture (according to the old approach that a credential is either something you know, something you have, or something you are.) So we need to introduce some redundancy and recoverability at the root credential level, without giving away the keys to the kingdom.