Re: Keysigning challenge policies/procedures
Am Freitag, 7. Juli 2006 06:31 schrieb Todd Zullinger: What I don't see in any of the links is more information about sending an email challenge before signing a key. (My apologies if I'm overlooking it on your page or any of the others.) It's been discussed here before but I've not found any scripts or good details that I could point my fellow LUG members toward. Try CA-Bot (http://cabot.alioth.debian.org/). I haven't used it myself because I'm using a self-written script for creating challenges with KMail. But I've been sent a few challenges generated by CA-Bot. Last time I received such a message, it said (at least IIRC) that CA-Bot couldn't handle signed and/or encrypted replies. So using CA-Bot you can only check whether the person you send the challenge to can decrypt the challenge, but you can't check whether he also controls the signing key. Isn't it a good thing to send some random data to each UID on the key someone wishes you to sign and require that they send back that data signed by the key to prove they control both the key and the email address in the UID? Where control the email address is different from is the owner of the email address. Anybody between you and the owner of the email address can intercept the challenge, sign it and send it back to you. This is especially a problem with email addresses which don't contain the name, but just some random alias, nickname or whatever. [EMAIL PROTECTED] could be anyone's email address. Regards, Ingo pgpTNG1L4YMPx.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keysigning challenge policies/procedures
* Todd Zullinger [EMAIL PROTECTED] wrote: What I don't see in any of the links is more information about sending an email challenge before signing a key. (My apologies if I'm overlooking it on your page or any of the others.) Before I used a protocol to signing keys where I sent out random strings as challenge response but it's not worth. There is no enhanced security and only more work for signer and signee. If you send the signed UIDs encrypted to each mail address separately it has the same effect in security because if the mail address bounces or the person behind the address doesn't have the private key your signed UIDs won't become publicly available. It's been discussed here before but I've not found any scripts or good details that I could point my fellow LUG members toward. Isn't it a good thing to send some random data to each UID on the key someone wishes you to sign and require that they send back that data signed by the key to prove they control both the key and the email address in the UID? There are some scripts around but don't use CA-Bot as Ingo suggested. As he has already said it has problems with so-called sign-only-keys and it sends out broken mails. caff, from the same author, handles these keys much better. It can be downloaded from the third link I mentioned. Besides it is already available in Debian and FreeBSD. Regards, Marcus -- This elevator serves me alone. I have complete control over this entire level. With cameras as my eyes and nodes as my hands, I rule here, insect. (Shodan in System Shock) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keysigning challenge policies/procedures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ingo Klöcker wrote: Try CA-Bot (http://cabot.alioth.debian.org/). Thanks Ingo. I haven't used it myself because I'm using a self-written script for creating challenges with KMail. Could you elaborate a little on the procedure you use to generate the challenges? I'd love to have some examples of how other folks do things to present to my fellow LUG members. But I've been sent a few challenges generated by CA-Bot. Last time I received such a message, it said (at least IIRC) that CA-Bot couldn't handle signed and/or encrypted replies. So using CA-Bot you can only check whether the person you send the challenge to can decrypt the challenge, but you can't check whether he also controls the signing key. That's unfortunate, since the signature is more important than the decryption, AFAIAC. I'll take a look and see if CA-bot can't be useful as a starting point for some scripts of my own. Isn't it a good thing to send some random data to each UID on the key someone wishes you to sign and require that they send back that data signed by the key to prove they control both the key and the email address in the UID? Where control the email address is different from is the owner of the email address. Anybody between you and the owner of the email address can intercept the challenge, sign it and send it back to you. Of course, but they can't sign it with the key I've been asked to sign and which I verified from the key fingerprint and other owner details, unless they are the proper owner of that key. This is especially a problem with email addresses which don't contain the name, but just some random alias, nickname or whatever. [EMAIL PROTECTED] could be anyone's email address. Right. But if we met in person and I showed you acceptable ID, provided you with the key fingerprint and other key data, then returned a challenge from you signed using the key matching the fingerprint that you verified in our meeting, you know that I am in control of the key and that I can get mail at [EMAIL PROTECTED] Obviously, others can read mail there too and that's why I'm using GPG to ensure that I'm the only one that will be able to decipher mail sent to that address and generate verifiable email from that address. Thanks, - -- ToddOpenPGP - KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp == You will never find time for anything. If you want time you must make it. -- Charles Buxton -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkSudgomGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1qhDQCg113UiRsz5aUYeNGvRWOQdOHRzT0AnAnXloPp xhBU91pupwwlzXFTFOjm =xk6i -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keysigning challenge policies/procedures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marcus Frings wrote: * Todd Zullinger [EMAIL PROTECTED] wrote: What I don't see in any of the links is more information about sending an email challenge before signing a key. (My apologies if I'm overlooking it on your page or any of the others.) Before I used a protocol to signing keys where I sent out random strings as challenge response but it's not worth. There is no enhanced security and only more work for signer and signee. If you send the signed UIDs encrypted to each mail address separately it has the same effect in security because if the mail address bounces or the person behind the address doesn't have the private key your signed UIDs won't become publicly available. But that does mean that you can't get a signed key to someone if the key you've signed doesn't have any encryption capabilities, correct? Unless, of course, you have told the signee that they must provide you with a key which they wish to have the signed keys encrypted to. Have you found in practice that you don't run into many sign-only keys that you are asked to certify? There are some scripts around but don't use CA-Bot as Ingo suggested. As he has already said it has problems with so-called sign-only-keys and it sends out broken mails. caff, from the same author, handles these keys much better. It can be downloaded from the third link I mentioned. Besides it is already available in Debian and FreeBSD. Thanks, I'll look closer at caff. I didn't pull down the package and play with it yet. - -- ToddOpenPGP - KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp == You're not drunk if you can lie on the floor without holding on. -- Dean Martin -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkSueUMmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1pmfwCg+sxhZadaXGAJYLU/7yBAT/1XIq0An2UnRecE 3bNFigiZqvEXMotWpR5z =09Wl -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keysigning challenge policies/procedures
On Friday, July 7, 2006, 11:19:47 AM, Marcus wrote: * Todd Zullinger [EMAIL PROTECTED] wrote: What I don't see in any of the links is more information about sending an email challenge before signing a key. (My apologies if I'm overlooking it on your page or any of the others.) Before I used a protocol to signing keys where I sent out random strings as challenge response but it's not worth. There is no enhanced security and only more work for signer and signee. If you send the signed UIDs encrypted to each mail address separately it has the same effect in security I don't think that's true: Decryption is (usually) handled by the encryption subkey and there's absolutely no guarantee that this subkey is controlled by the same person as the primary/signing key. There may even be valid reasons to split the two roles. Since UIDs are attached to the primary key and the primary key is the only one that can modify UIDs (and signing a key is all about UIDs) this system can't prove what it's supposed to prove: The link between the UID (better: the e-mail-address in it) and the person in control of it. Regards, Mark Kirchner -- _ Key (0x172C073C): http://www.mark-kirchner.de/keys/key-mk.asc pgpPS4gfqXjf1.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keysigning challenge policies/procedures
On Friday 07 July 2006 16:56, Todd Zullinger wrote: Ingo Klöcker wrote: I haven't used it myself because I'm using a self-written script for creating challenges with KMail. Could you elaborate a little on the procedure you use to generate the challenges? I'd love to have some examples of how other folks do things to present to my fellow LUG members. My script does the following: For each key id that's given on the command line it first determines all UIDs which are neither revoked nor expired nor have already been signed by me. Then for each UID a random string is generated. I use the command head -c 18 /dev/urandom | mimencode for this. (mimencode is part of metamail.) This challenge and the key id and the UID are then inserted into a text explaining what the receiver of the challenge has to do. This text is then encrypted with the key corresponding to the key id. The encrypted text is then prepended with another text explaining what the encrypted text is about. Finally the resulting text is given to KMail together with the email address (==UID). Now I only have to click on the Send button in KMail to send the message. (I could make KMail automatically send the messages, but I prefer to have a last look at them before I send them in order to check that everything worked correctly.) I've attached the script. Isn't it a good thing to send some random data to each UID on the key someone wishes you to sign and require that they send back that data signed by the key to prove they control both the key and the email address in the UID? Where control the email address is different from is the owner of the email address. Anybody between you and the owner of the email address can intercept the challenge, sign it and send it back to you. Of course, but they can't sign it with the key I've been asked to sign and which I verified from the key fingerprint and other owner details, unless they are the proper owner of that key. Yes, they can if it was them who asked you to sign their key. For example, I could create a key with my name and your email address, go to a key signing party and make everybody sign the fake user id. And if I can intercept your mail then I can even reply to challenges. Of course, such an attack probably doesn't make much sense because for what purpose should I want to make someone believe I have an email address I do in fact not own (but which I can intercept). Regards, Ingo send-challenge-v1.1.pl Description: Perl program pgpDyeYJuFQ2o.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keysigning challenge policies/procedures
On Friday 07 July 2006 17:09, Todd Zullinger wrote: Marcus Frings wrote: * Todd Zullinger [EMAIL PROTECTED] wrote: What I don't see in any of the links is more information about sending an email challenge before signing a key. (My apologies if I'm overlooking it on your page or any of the others.) Before I used a protocol to signing keys where I sent out random strings as challenge response but it's not worth. There is no enhanced security and only more work for signer and signee. If you send the signed UIDs encrypted to each mail address separately it has the same effect in security because if the mail address bounces or the person behind the address doesn't have the private key your signed UIDs won't become publicly available. But that does mean that you can't get a signed key to someone if the key you've signed doesn't have any encryption capabilities, correct? That's obviously correct. In this case you could give the key owner a piece of paper with a random string and ask him to send it in a signed message to your email address. Then you know that he can use this key for signing messages. Obviously, you can't check the validity of the email addresses belonging to this key (unless he's got an encryption key you can use for checking the addresses). But in case of a certification-only key even that won't work. Unless, of course, you have told the signee that they must provide you with a key which they wish to have the signed keys encrypted to. Have you found in practice that you don't run into many sign-only keys that you are asked to certify? Among a few hundreds keys I've signed so far only a handful were sign-only or certification-only keys. I did simply sign them with a lower verification level. Regards, Ingo pgpgallYqWFGA.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keysigning challenge policies/procedures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ingo Klöcker wrote: On Friday 07 July 2006 17:09, Todd Zullinger wrote: [...] But that does mean that you can't get a signed key to someone if the key you've signed doesn't have any encryption capabilities, correct? That's obviously correct. In this case you could give the key owner a piece of paper with a random string and ask him to send it in a signed message to your email address. Then you know that he can use this key for signing messages. Obviously, you can't check the validity of the email addresses belonging to this key (unless he's got an encryption key you can use for checking the addresses). Is it really necessary to encrypt the challenge? If the key has encryption capabilities, I would do so, but if it was a sign only key and I could not do so, just what sort of attacks or weaknesses are there in sending the challenge in the clear? I've seen David Shaw point out that it didn't gain you much. I'm just trying to work through the possible scenarios so I have them clear in my mind before trying to present this to a larger group, who may well end up with questions on this that I'd like to have better answers for than I do now. Have you found in practice that you don't run into many sign-only keys that you are asked to certify? Among a few hundreds keys I've signed so far only a handful were sign-only or certification-only keys. I did simply sign them with a lower verification level. Okay. I would have guessed that you probably wouldn't run into terribly many keys like this, but thank you for giving some practical experience to support this. - -- ToddOpenPGP - KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp == ...unfortunately, we can't control the actions of everyone. -- Bill Clinton, April 20, 1993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkSuwMcmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1ogLQCfdgI3cZPmG30R7Ho9S6wERT1Bf0MAoJnW40cG UqfQ+iNwqQUwaDyhHVFH =gsl0 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keysigning challenge policies/procedures
On Fri, Jul 07, 2006 at 11:19:47AM +0200, Marcus Frings wrote: * Todd Zullinger [EMAIL PROTECTED] wrote: What I don't see in any of the links is more information about sending an email challenge before signing a key. (My apologies if I'm overlooking it on your page or any of the others.) Before I used a protocol to signing keys where I sent out random strings as challenge response but it's not worth. There is no enhanced security and only more work for signer and signee. If you send the signed UIDs encrypted to each mail address separately it has the same effect in security because if the mail address bounces or the person behind the address doesn't have the private key your signed UIDs won't become publicly available. I've been away on vacation and only picked up this thread now. This statement is not correct. Back in the PGP 2.x days, this might have been true, but with OpenPGP, there is no particular requirement that the ability to sign and the ability to decrypt are connected. You can have a shared key with separate capabilities. Sending an signed key via encrypted mail does not ensure anything about the key owner. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keysigning challenge policies/procedures
On Fri, Jul 07, 2006 at 08:39:37PM +0200, Ingo Klöcker wrote: On Friday 07 July 2006 17:09, Todd Zullinger wrote: Marcus Frings wrote: * Todd Zullinger [EMAIL PROTECTED] wrote: What I don't see in any of the links is more information about sending an email challenge before signing a key. (My apologies if I'm overlooking it on your page or any of the others.) Before I used a protocol to signing keys where I sent out random strings as challenge response but it's not worth. There is no enhanced security and only more work for signer and signee. If you send the signed UIDs encrypted to each mail address separately it has the same effect in security because if the mail address bounces or the person behind the address doesn't have the private key your signed UIDs won't become publicly available. But that does mean that you can't get a signed key to someone if the key you've signed doesn't have any encryption capabilities, correct? That's obviously correct. In this case you could give the key owner a piece of paper with a random string and ask him to send it in a signed message to your email address. Then you know that he can use this key for signing messages. Obviously, you can't check the validity of the email addresses belonging to this key (unless he's got an encryption key you can use for checking the addresses). Sure you can: just send the random string to the email address. If the person can return the string back to you, signed, then you know that there is access to both the signing key and the email address. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keysigning challenge policies/procedures
On Fri, Jul 07, 2006 at 04:15:03PM -0400, Todd Zullinger wrote: Ingo Klöcker wrote: On Friday 07 July 2006 17:09, Todd Zullinger wrote: [...] But that does mean that you can't get a signed key to someone if the key you've signed doesn't have any encryption capabilities, correct? That's obviously correct. In this case you could give the key owner a piece of paper with a random string and ask him to send it in a signed message to your email address. Then you know that he can use this key for signing messages. Obviously, you can't check the validity of the email addresses belonging to this key (unless he's got an encryption key you can use for checking the addresses). Is it really necessary to encrypt the challenge? If the key has encryption capabilities, I would do so, but if it was a sign only key and I could not do so, just what sort of attacks or weaknesses are there in sending the challenge in the clear? I've seen David Shaw point out that it didn't gain you much. I'm just trying to work through the possible scenarios so I have them clear in my mind before trying to present this to a larger group, who may well end up with questions on this that I'd like to have better answers for than I do now. There is no harm (and no real benefit either) in sending the challenge NOT in the clear. Either way, you're proving the same thing: whether the email address goes anywhere and whether someone who has access to the email also has access to the key. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keysigning challenge policies/procedures
* Ingo Klöcker [EMAIL PROTECTED] wrote: On Friday 07 July 2006 17:09, Todd Zullinger wrote: Have you found in practice that you don't run into many sign-only keys that you are asked to certify? Among a few hundreds keys I've signed so far only a handful were sign-only or certification-only keys. I did simply sign them with a lower verification level. Me, too. I just give these sign-only keys a level of 2 as explained in my policy. I have been at several (large) keysigning parties and luckily there are not so many sign-only keys around. I don't like them very much but that's life ... Regards, Marcus -- Paranoia - das heißt doch nur, die Wirklichkeit realistischer zu sehen als andere. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keysigning challenge policies/procedures
On Fri, Jul 07, 2006 at 07:22:40PM +0200, Mark Kirchner wrote: On Friday, July 7, 2006, 11:19:47 AM, Marcus wrote: * Todd Zullinger [EMAIL PROTECTED] wrote: What I don't see in any of the links is more information about sending an email challenge before signing a key. (My apologies if I'm overlooking it on your page or any of the others.) Before I used a protocol to signing keys where I sent out random strings as challenge response but it's not worth. There is no enhanced security and only more work for signer and signee. If you send the signed UIDs encrypted to each mail address separately it has the same effect in security I don't think that's true: Decryption is (usually) handled by the encryption subkey and there's absolutely no guarantee that this subkey is controlled by the same person as the primary/signing key. There may even be valid reasons to split the two roles. Since UIDs are attached to the primary key and the primary key is the only one that can modify UIDs (and signing a key is all about UIDs) this system can't prove what it's supposed to prove: The link between the UID (better: the e-mail-address in it) and the person in control of it. This is exactly correct. The identity (for lack of a better word) is the primary+UID. Since that is what you are signing when you sign someone's key, that is what you should be verifying before you make the signature. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keysigning challenge policies/procedures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi David, David Shaw wrote: I've been away on vacation and only picked up this thread now. Hope it was relaxing. Welcome back seems like a negative thing to say. ;) This statement is not correct. Back in the PGP 2.x days, this might have been true, but with OpenPGP, there is no particular requirement that the ability to sign and the ability to decrypt are connected. You can have a shared key with separate capabilities. Sending an signed key via encrypted mail does not ensure anything about the key owner. Marcus and Ingo have very been helpful in providing pretty specific procedures that they've used (and documented) for key signing. I've read with interest the comments that you've made over the years as the topic of keysigning has come up and I'd be very appreciative if you could share a basic outline of the procedure you take or recommend. As I alluded to at the start of this thread, I've been volunteered to give a talk on the process and reason behind key signing at an upcoming meeting of my local LUG. I've been trying to find as many different peoples policies and procedures as I can prior to my presentation to a) refresh my memory and b) prepare for potential questions on why one might use a particular method. I highly respect the methods you've outlined on this list and I think the members of my local LUG could benefit greatly from being exposed to the policy/procedure for handling keys the come across at a key signing party. Thanks much for your efforts on GnuPG. Like OpenSSH, it's one of the applications that I use every single day and would have a hard time living without. - -- ToddOpenPGP - KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp == Life is the art of drawing without an eraser. -- John Gardner -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkSvRTwmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1oIFACg1o1VlJkJc3qnus5D24wxs1+c+nMAnif/DXQB GM8hQmMqt6RFQ6AxQObg =yZQj -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users