Re: Modernizing Web-of-trust for Organizations

2018-01-03 Thread Lou Wynn 
On 01/03/2018 04:40 PM, MFPA wrote:
>> It is already the case that an organisation does not need to depend on
>> third-party CAs to certify its staff's OpenPGP keys.
>>

It's true for OpenPGP because OpenPGP is a distributed system, there is
no single CA, or it doesn't have the concept of CA at all. My original
implicit reference is PKI based S/MIME.

The autonomous certificate authority model is different from both PKI
and web of trust. As I explained in one of my previous posts that this
model clearly defines what trustworthiness is. The short version is:

A trusted key or trustworthiness means that the sender's certificate is
verified to be in the same trust realm or in the same trust group with
the receiver, besides traditional signature verification.

In this model, end users are freed from managing trust relationship
completely because the trustworthiness can be checked mechanically and
it makes sense to organizational usages.

Thanks,
Lou


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Modernizing Web-of-trust for Organizations

2018-01-03 Thread MFPA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Thursday 4 January 2018 at 1:46:55 AM, in
, Lou Wynn wrote:-


> When I said for "both," I might have misunderstood what you meant by
> a shared keyring? Can you explain it a little bit? 

PGP and GnuPG traditionally store private keys in a secret keyring and
public keys in a public keyring. Each user's secret keyring has just
their own secret keys. Each user's public keyring contains their own
public keys, plus other people's public keys for encrypting messages
or checking signatures. Multiple users' OpenPGP installations could
theoretically all be configured to point to the same shared keyring
files instead of each user having their own local keyring files (or
all their local keyring files could be kept in sync with a central
copy).



> My system doesn't
> share anything that is related to user private keys, except for that
> encrypted private keys are saved in a database. 

If the user's OpenPGP software accesses that database each time it
needs to use the private key, the database is providing the same
function as the old secret keyring.



> An analogy is
> placing two people's encrypted PGP secret keyring on a file server,
> and decryption is still done at the client side. I'm not sure if
> this is what you meant by a shared keyring.

If my keyring and your keyring happened to be stored on the same
server but they were separate and there was no sharing or syncing
between them, it would not be a shared keyring.


- -- 
Best regards

MFPA  

Is it bad luck to be superstitious?
-BEGIN PGP SIGNATURE-

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCWk2TLV8UgAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+scSAP4vmeuwK8YCAyYjs4Psorv96r7m3oxgzLu7sJKF96yXTQEAgAjsz8M6S03n
8sLlKoRB8wlcCmjzECrzjtTytkNsfwSJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCWk2TP18UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/5DkD/9BrPANt1BW46XokjuD/kcjuJxQ
F24osueo+o/Cu/+oRnXVExm8dj1zSmr5FH5WUPxejCHORzVxEZjeKAQaLOUoxNjr
hpWvJckeYi7O/+Iv7Mcvj5T88qawtebB/R8RseXak68ZIag6eFG9aMa6qIV75Jvq
60AFLEmZwOOtAoUxfwaIAgLqUc2ER2IYtdiUQX31xsNUrG60nIrWHl77mu7x31L3
FJm1t8wCI6WCKWHCygThkxFburohGIHhsC8z2MEfaN0/e/zy/ZNccC4pfhMOcAWR
1ArFEkRkluMVlkFPItPuwmSDINR3UltTyi77CQ0hYpceleJ47p2n+auYNnSS6Q+D
pIh1q4nMlVCG0TgUI98lKn4JcklHfiu7HGJhFgik+tvC+2TJ+U1NZtVWqZCsr+cA
YePtEyB8Pe82iu7SL3RF5AjtCJa4aS9DQjZixKwxe6WaOfVrcgd+Ne2z6nYX9vto
uSRmir5f5yVhP849AyZ5q31OLPJ8GsvyLF4hyBe1Of6SxhVnlggSZJaJg3/Z31Zr
/2J0U85bk8KyKtWbGn+t1KgrDt1N/u5ExuEkE3PU/5phip3gEHFymB8qqOrBCUAQ
cMcp9W5hI0LAGwGJJ8vKAieoIEQvyIG6d70i/Q1C6+ktNzJSlOfvIUJMFDnXdhAM
4x3CgH8LC0MuJEMRfQ==
=Ol4C
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Modernizing Web-of-trust for Organizations

2018-01-03 Thread Lou Wynn 
On 01/03/2018 05:34 PM, Lou Wynn wrote:
>> Are you talking about something like a shared keyring? Or just managing 
>> trust relationships by issuing key certifications and
>> revocations?
> The short answer is for both. End users do not need to manage their

When I said for "both," I might have misunderstood what you meant by a
shared keyring? Can you explain it a little bit? My system doesn't share
anything that is related to user private keys, except for that encrypted
private keys are saved in a database. An analogy is placing two people's
encrypted PGP secret keyring on a file server, and decryption is still
done at the client side. I'm not sure if this is what you meant by a
shared keyring.

Thanks,
Lou


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Modernizing Web-of-trust for Organizations

2018-01-03 Thread MFPA 
Hi


On Wednesday 3 January 2018 at 7:02:08 AM, in
, Lou Wynn wrote:-



> 1. Goals of the system

> a. An organization does not depend on third-party certificate
> authorities.

It is already the case that an organisation does not need to depend on
third-party CAs to certify its staff's OpenPGP keys.

For example, my ISP [0] says "All staff keys are signed using the
company signing key. This is very much like a traditional company
seal. Only the director has access to this key and it is only used for
signing other keys. If/when a member of staff leaves a revocation is
issued of that signature and loaded on to keyservers."



> b. Its employees and business partners do not manually manage their
> own keys and trust relationship, and the administrator centrally
> manages all certificates and trustworthiness for the organization.

Are you talking about something like a shared keyring? Or just
managing trust relationships by issuing key certifications and
revocations?



> c. Business units can flexibly define trust boundaries. For example,
> the security department can have some black hats as business
> partners but these black hats should be not be trusted by other
> employees of the organization.

Would the business unit achieve this by using their own certifying
key in addition to the enterprise-wide certifying key?



> d. Providing end-to-end security with public key ciphers. An end
> user's private key should not be exposed to anyone, namely, only the
> end user has access to his or her private key to ensure valid
> signature and decryption.

So each user would still generate their own key pair.



> When keys of business partners are certified by the CK, the above
> two design principles place the employees and business partners in
> the same trust realm and therefore trust each other, but not between
> two business partners because two business partners are not in the
> same trust realm.

Isn't it up to the two business partners to decide whether or not to
trust each others' keys?

Whether or not the business partners choose
to consider the presence of the certification from the company's
RK/CKs when making their respective decisions, isn't it ultimately not
really any of the company's business?


[0] 



-- 
Best regards

MFPA  

Zorba the Greek - before he zorbas you

pgpHAtU4iJ2jN.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Modernizing Web-of-trust for Organizations

2018-01-03 Thread Lou Wynn 
I just realized that I overloaded the meaning of signature verification.
Here, signature verification, both in my previous discussion and in the
receiver's UI, also includes the certificate verification described in
2.b, in addition to traditional signature verification.

Thanks,
Lou

On 01/03/2018 01:04 PM, Lou Wynn wrote:
> Yes, "trusted" keys do not mean much without contexts. There are few
> contexts to see what trustworthiness means.
>
> 1. From certificate verification point of view, a trusted key means that
> the certificate is verified to be in the same trust realm or in the same
> trust group with the receiver.
>
> 2. From the user interface point of view, a trusted key is reflected by
> marking the sender's signature is verified, and an untrusted key is
> marked by the warning that the signature cannot be verified. An
> automated or manual process can be applied to delete or quarantine
> messages whose signature verification fails. The screenshots on the web
> link show this intuitive UI. Of course, the final decision about what to
> do with such messages is up to the receiver. The warning of signature
> verification makes the receiver aware of the sender status, which is
> either certified to be in the same trust realm/group or not being
> certified as such.
>
> Thanks,
> Lou
>
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Modernizing Web-of-trust for Organizations

2018-01-03 Thread Lou Wynn 
On 01/03/2018 11:21 AM, Daniel Kahn Gillmor wrote:
> Hi Lou--
>
> On Tue 2018-01-02 23:02:08 -0800, Lou Wynn wrote:
>> b. Its employees and business partners do not manually manage their own
>> keys and trust relationship, and the administrator centrally manages all
>> certificates and trustworthiness for the organization.
> backing up a bit here -- what kind of "trustworthiness" are you talking
> about in your proposal?  your description includes several uses of the
> word "trust", but no clear explanation of what that trust entails.
>
> saying that keys are "trusted" doesn't mean much on its own.  What is a
> "trusted" key allowed to do that an "untrusted" key is not allowed to
> do?
>
> --dkg

Yes, "trusted" keys do not mean much without contexts. There are few
contexts to see what trustworthiness means.

1. From certificate verification point of view, a trusted key means that
the certificate is verified to be in the same trust realm or in the same
trust group with the receiver.

2. From the user interface point of view, a trusted key is reflected by
marking the sender's signature is verified, and an untrusted key is
marked by the warning that the signature cannot be verified. An
automated or manual process can be applied to delete or quarantine
messages whose signature verification fails. The screenshots on the web
link show this intuitive UI. Of course, the final decision about what to
do with such messages is up to the receiver. The warning of signature
verification makes the receiver aware of the sender status, which is
either certified to be in the same trust realm/group or not being
certified as such.

Thanks,
Lou



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Modernizing Web-of-trust for Organizations

2018-01-03 Thread Daniel Kahn Gillmor 
Hi Lou--

On Tue 2018-01-02 23:02:08 -0800, Lou Wynn wrote:
> b. Its employees and business partners do not manually manage their own
> keys and trust relationship, and the administrator centrally manages all
> certificates and trustworthiness for the organization.

backing up a bit here -- what kind of "trustworthiness" are you talking
about in your proposal?  your description includes several uses of the
word "trust", but no clear explanation of what that trust entails.

saying that keys are "trusted" doesn't mean much on its own.  What is a
"trusted" key allowed to do that an "untrusted" key is not allowed to
do?

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users