RE: Keyservers and Spam
At 03:41 PM 6/13/03 -0700, Bill Frantz wrote: The HighFire project at Cryptorights http://www.cryptorights.org/research/highfire/ is planning on building a web of trust rooted in the NGOs who will be using the system. Each NGO will have a signing key. A NGO will sign the keys of the people working for it. In this manner, we have way of saying, The John Jones who works for Amnesty International. A NGO may decide to sign another NGO's signing key. Now we have a way to say to someone in Amnesty, Send a message to Steve Smith in Médecins Sans Frontières. The plan is to show the trust relationship in the UI as a path of keys. I would appreciate your comments. Threat model: NGO_Alice is compromised and signs GESTAPO key, leading to NGO_Bob's demise. Possible counters: NGO_Alice's NGO key is a split key, so 1 person needs be rubber hosed. I don't know if PGP supports this, I don't think so. Short key expirations, in the limit trusted for just 1 day. Already possible, just document this. Also, how do you counter the GESTAPO from seeing queries to the key servers? It might be enough to jail anyone making such an inquiry. Possible solutions would include having the keyserver perform some innocuous function, and use SSL for all connections to it. Also SSL proxying and stego of course. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Keyservers and Spam
At 11:56 AM 6/13/2003 -0400, John Kelsey wrote: At 10:27 AM 6/11/03 -0700, bear wrote: That is the theory. In practice, as long as the PGP web of trust The thing that strikes me is that the PGP web of trust idea is appropriate for very close-knit communities, where reputations matter and people mostly know one another. A key signed by Carl Ellison or Jon Callas actually means something to me, because I know those people. But transitive trust is just always a slippery and unsatisfactory sort of thing-- I may have missed it, but I thought that the web-o-trust model of PGP has generally been dismissed by the crypto community precisely because trust is not transitive. Similarly, the tree structured, hierarchical trust model has failed, we currently have a one level, not very trusted model with Verisign or Thawte or yourself at the top. I know from discussions with some of the SPKI folks that encouraging self defined trust trees was one of the goals. Of course, if the size of the tree is small enough, you can just use shared secrets. Pat Pat Farrell [EMAIL PROTECTED] http://www.pfarrell.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Keyservers and Spam
At 2:35 PM -0700 6/13/03, Pat Farrell wrote: At 11:56 AM 6/13/2003 -0400, John Kelsey wrote: At 10:27 AM 6/11/03 -0700, bear wrote: That is the theory. In practice, as long as the PGP web of trust The thing that strikes me is that the PGP web of trust idea is appropriate for very close-knit communities, where reputations matter and people mostly know one another. A key signed by Carl Ellison or Jon Callas actually means something to me, because I know those people. But transitive trust is just always a slippery and unsatisfactory sort of thing-- I may have missed it, but I thought that the web-o-trust model of PGP has generally been dismissed by the crypto community precisely because trust is not transitive. Similarly, the tree structured, hierarchical trust model has failed, we currently have a one level, not very trusted model with Verisign or Thawte or yourself at the top. I know from discussions with some of the SPKI folks that encouraging self defined trust trees was one of the goals. Of course, if the size of the tree is small enough, you can just use shared secrets. The HighFire project at Cryptorights http://www.cryptorights.org/research/highfire/ is planning on building a web of trust rooted in the NGOs who will be using the system. Each NGO will have a signing key. A NGO will sign the keys of the people working for it. In this manner, we have way of saying, The John Jones who works for Amnesty International. A NGO may decide to sign another NGO's signing key. Now we have a way to say to someone in Amnesty, Send a message to Steve Smith in Médecins Sans Frontières. The plan is to show the trust relationship in the UI as a path of keys. I would appreciate your comments. Cheers - Bill - Bill Frantz | A Jobless Recovery is | Periwinkle -- Consulting (408)356-8506 | like a Breadless Sand- | 16345 Englewood Ave. [EMAIL PROTECTED] | wich. -- Steve Schear | Los Gatos, CA 95032, USA - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Keyservers and Spam
At 11:56 AM 6/13/2003 -0400, John Kelsey wrote: The thing that strikes me is that the PGP web of trust idea is appropriate for very close-knit communities, where reputations matter and people mostly know one another. A key signed by Carl Ellison or Jon Callas actually means something to me, because I know those people. But transitive trust is just always a slippery and unsatisfactory sort of thing--the fact that Jon Callas trusts Fred Smith trusts John Jones to sign a key doesn' t really tell me whether or not I should trust him--by the time we're about three hops away, you'd have to be God to know enough to have your signature mean anything. PGP or other similar account-based mechanisms provide trust between parties that have established relationship on a purely pair-wise, bilaterial basis. It does allow some direct trust operations to diffuse out to other parties. It isn't so much a close-knit community it is how far every specific entities's trust operation diffuse out across other individuals. If the entity is called a certification authority and it provides an online service ... then the diffusing of specific trust operation might propogate out to a wide community. The issue of course is what trust attributes are propagating/diffusing and the diligence that the entity used in establishing the information to be trusted. If the entity is called a certification authority, and it manufactures certificates (basically stale, static copies of some CA internal account record) then those certificates will presumably contains some information that is bound to the public key ... where there is some degree of confidence (aka trust) with regard to the binding between the information and the public key. One issue is what meaning is there between having absolute certainty between something like an email address and a public key. Let's say it is an email address. Typically, email addresses at random are meaningless to me unless they are part of some specific context like somebody I have an established relationship with. However, if I have an established relationship with the entity, then it is back to the PGP scenario. In a broad context, businesses run on established relationships; aka financial institutions. The whole existing payment infrastructure effectively has the PGP scenario without needing certificates, and not exactly being considered a very close-knit community. The primary difference between a financial institution actiing as an entity in a PGP web-of-trust paradigm (say payment cards, credit, debit, etc) and individual is the typical scope of the reputation of the financial institution is larger than an individual, and therefor the propagation/diffusing of trust is likely to have a much further reach. To a larger degree ... the trust radius of an entity is somewhat independent of whether it is operating in the PGP manner w/o certificates or in certificate paradigm. The primary difference in the certificate paradigm is not the scope of the entity's trust it is the design point of delivering the trust. The certificate paradigm of trust delivery was targeted at an offline environment for relying parties that had no previous relationship (and had no online and/or direct recourse to the trust entity. The payment card industry established a certificateless nearly world-wide scope of trust, in part by providing an extensive online network. The certificate-based design point was to be able to provide an infrastructure for propogating trust between relying parties that had no previous relationship, were unlikely to need future relationship, and had no online or direct recourse to the trust enttity. -- Anne Lynn Wheelerhttp://www.garlic.com/~lynn/ Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Keyservers and Spam
At 05:47 PM 6/11/03 -0700, Bill Frantz wrote: To try to reflect some of David's points with a real-world situation. I was at work, with a brand new installation of PGP. I wanted to send some confidential data home so I could work with it. However I didn't have my home key at work, so I didn't have a secure way to send either the data, or the work key. I didn't even have the fingerprint of the home key. My solution was to pull Carl Ellison's business card out of my pocket. It had his key fingerprint on it, and I remember getting it directly from him, so I could trust the fingerprint. Now Carl had signed my key, so when I downloaded it from the key server, I could verify that it was indeed mine (to the extent I trusted Carl). Carl's signature, and the key server allowed me to bootstrap trust into my own key. But with a key server, I didn't have to bother Carl to send me my key. Or depend on him being online when I needed it. True, although: 1. you could have had your own key-fingerprint on your own bizcard and done the same. 2. you needn't have had your valid email address there (going back to the spam-thread), perhaps just your regular name. In fact you could have your key on your home server, not in a public server which serves as spambait. Your home server could be unlisted by using an alternate port. (I do this to get around ISP blocking, but then I'm not trying to publish papers on my home server.) Or use CGI, or a password mechanism, to deter spam-spiders. The point with spam and publishing your email address is that its like having a public physical storefront: anyone can pay the price of a cigarette to a stream of homeless people to clog your physical store. Or form a huge line if you have bouncers at the door. That's what having a public interface means. 3. I think you also trusted that Carl has not been compromised and re-signed a bogus key *after* he first signed it. (Not picking on Carl here :-) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Keyservers and Spam
To try to reflect some of David's points with a real-world situation. I was at work, with a brand new installation of PGP. I wanted to send some confidential data home so I could work with it. However I didn't have my home key at work, so I didn't have a secure way to send either the data, or the work key. I didn't even have the fingerprint of the home key. My solution was to pull Carl Ellison's business card out of my pocket. It had his key fingerprint on it, and I remember getting it directly from him, so I could trust the fingerprint. Now Carl had signed my key, so when I downloaded it from the key server, I could verify that it was indeed mine (to the extent I trusted Carl). Carl's signature, and the key server allowed me to bootstrap trust into my own key. At 3:53 PM -0700 6/10/03, David Honig wrote: At 04:54 PM 6/10/03 +0100, [EMAIL PROTECTED] wrote: I don't know you. Why should I trust your signing of someone else's key? If I know a mutual aquaintence, no need for web of trust. ... If we allow this, then the entire web-of-trust disintegrates. There *is no web of trust* unless you know the signers. In which case you may as well have them forward keys manually. But with a key server, I didn't have to bother Carl to send me my key. Or depend on him being online when I needed it. Cheers - Bill - Bill Frantz | Due process for all| Periwinkle -- Consulting (408)356-8506 | used to be the | 16345 Englewood Ave. [EMAIL PROTECTED] | American way. | Los Gatos, CA 95032, USA - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Keyservers and Spam
At 12:43 PM 6/10/03 -0400, Jeffrey Kay wrote: number (which I now use Call Intercept to avoid telephone solicitors). But for privacy reasons, some folks will not automatically forward their phone number. You either deny them access or require them to jump through extra hoops (redial w/ special control codes that send their ID). Analogy w/ email PGP left as an exercise.. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]