I’ve been thinking about P2P systems using asymmetric keys and wondering if there is anyway to recover an identity in the event it was compromised using some kind of web-of-trust.
This seems to be a large issue compared to a regular system (using a central authority) that can remove the intruder's access and restore control of the account to the real owner (Digicert, facebook, twitter, etc...).
Possible Peer-run Certificate Authority Design
What if a master key pair was generated by a user and then used to create a subkey. Then using 16+ random bytes the master keys private component could be encrypted. The public and encrypted private key parts can be stored on the network publicly. The public part of this master key would be the root identity for that user.
The owner could choose 5+ nodes on the network (friends?) to store parts of the passphrase used to encrypt the master key private component and then erase it's knowledge of those bytes.
The subkey would be the active user identity (with it's own AES password protecting the private part). Should this client get phished, forget their password, or someone steal their sub-key private component, we could use the peers to restore the master key and revoke this subkey. Then we could generate and sign a new subkey.
I'm not sure how this would work other than the client sending a request to each node and them verifying the client though some out-of-bands way (phone call? Text?) before sending their part of the master key password.
Would this work? Are their any existing solutions to this problem?