At 4:38 PM -0700 9/5/2000, David Honig wrote:
>At 05:33 PM 9/3/00 -0400, Dan Geer wrote:
>>
>>> How do they exchange public keys? Via email I'll bet.
>>
>
> >Note that it is trivial(*) to construct a self-decrypting
> >archive and mail it in the form of an attachment. The
>>recipient will merely have to know the passphrase. If
>
>If you have a secure channel to exchange a passphrase in,
>you have no need for PK.
>
I don't see any need for self-decrypting archives or passphrases.
The public key can be sent un-encrypted. All you need is a trusted,
not secure, channel to send the key fingerprint. This channel can
have very low bandwidth and need not be electronic.
Without key fingerprint verification, the primary attack against an
open exchange of public keys is the Man in the Middle. Remember the
burden on the Man in the Middle attacker against Bob:
1. The MITM must intercept every key exchange messages that Bob sends
or receives and then every message of any sort that Bob sends or
receives thereafter.
2. The MITM must be prepared to detect attempts to verify key
fingerprints in any message Bob sends or receives. These can involve
foreign languages, anagrams, subtle phrasing, steganography, etc. In
general this means that all messages must be screened by a well
trained human, not automatically.
3. If Bob ever discovers he is being attacked, he can use the MITM to
feed false information to his adversary.
4. If the attacker ever decides to stop, Bob will immediately be
alerted that something was wrong.
I think it is much cheaper and less risky to get one of the party's
private key by planting a worm program or bugging their keyboard.
At 7:22 PM -0700 9/5/2000, Ed Gerck wrote:
>
>PGP is based on an “introducer-model” which depends on
>the integrity of a chain of authenticators, the users
>themselves. The users and their keys are referred from one
>user to the other, as in a friendship circle, forming an
>authentication ring, modeled as a list or “web-of-trust”.
>The web-of-trust model has some problems, to wit:
I would add one more problem with the web-of-trust model: the classic
p**n reliability equation. If there is a 90% chance that any given
introducer is reliable, then there is only a 34% chance that a chain
of 10 introducers is reliable. Would you give even a 90% trust
rating to a bunch of strangers? To really work, the web-of-trust
requires multiple, independent paths between any two individuals so
you can take the "or" of several chains. That level of density is not
likely to happen with individuals.
On the other hand, PGP does not depend on the he web-of-trust model
and I doubt very many people try to use it. I suspect most users
find other ways to exchange keys with their friends. As Paul Crowley
points out, what exactly does it mean to have trust in a stranger's
public key?
Arnold Reinhold
