I've just had an interesting experience which has set me to thinking about
the usefulness of tools like PGP, including implicitly the Web of Trust,
Keyservers, and so on.
The situation that brought this to mind was a simple one. I wanted to
rejoin an association that I'd somehow lapsed from, many years ago. (I
won't name names, but it will probably be easy to guess. Let me stress that
this note is *not* intended as a criticism of the organisation in any way.)
It is an organisation devoted to issues of privacy and cryptography, based
here in Australia. I was pleased to see that one of my options was to send
payment by credit card in PGP encrypted email. The PGP key to use belonged
to an individual, and could be obtained from the organisation's web site. I
went to the web site, and there was a very small key. Note that getting the
key from their web site does not satisfy me, although it is almost
certainly OK at this point.
This is where the rot set in. I pulled the key into my keyring, and tried
to find a path of trust leading to it. The key had two signatures; its
owner, and some other key. That other key, though, does not appear on any
keyserver that I normally search (pgp.com, MIT, and pgp.net). As a side
effect of this, I discovered that the AT&T Path Server no longer works,
apparently for the same reason that the USENIX PGP Key Signing Service was
discontinued. So the WoT has failed me.
"But," I said to myself, "I'm in the same country as them, and I'm well
connected, I'll verify their key by phone and sign it and help out." So I
called unannounced, the phone was answered by someone claiming to be who I
expected to answer it, who answered the right questions, and so on, and at
this point I'm quite convinced that I am talking to who I think I am. I
asked to verify their PGP key, and after a little futzing (the person has
recently upgraded from 2.6.3i, and was unused to the GUI) verified the
fingerprint.
I mentioned "keyserver" somewhere in there, and was surprised to hear "Oh,
no, my key isn't on any keyservers. You can only get it from the web page."
There was a distinct undertone of "can't trust keyservers, bad things" in
there. (Again, let me stress that I'm not criticising the organisation or
the individual, who after all has more important things to do than master
PGP.) So I quickly told PGP to update the key from a server, and lo! three
new signatures appeared, as well as another unsigned identity (it's an RSA
key, so this is innocently possible). But who were these other signers?
Clearly the organisation's manager was unaware of them, as they were
equally unaware that the key was on any server anywhere. The primary
identity on the individual's key, by the way, was an address (the
equivalent of) [EMAIL PROTECTED] It was only a secondary address that
mentioned the organisation in question.
Now the three new signatures come from people whose names were not
recognised by the individual. Two are from two separate keys owned by one
or more people with exactly the same full name, but different email
addresses on the kind of servers that don't really attest to the identity
of the address owner. These two keys cross-sign each other, so they are
probably really the same person. But there are no other signatures on them,
so again the WoT is not helpful.
(Aside: A google search on the signer's name came back with the words
"Personality Disorder Rabies" in the same summary of the web page as one of
the possible people the signer might be. Writing this is certainly an
amusing persuit.)
And the third signature comes from another email account on a low-cost bulk
ISP, and the key in question has been revoked. Searching for other keys
owned by the same name revealed a very small, interconnected network of 6
keys, all cross signing each other but otherwise uncertified by any other
party. Four of them are the same name, and I speculate that one of the
others is a nym; the last may or may not be, I have no grounds to believe
that it is. One of these four didn't show up on my initial search, because
it didn't appear on my default keyserver, but it happened to be on one of
the others.
I note that way back when, someone did an analysis of the connectivity of
PGP keys (it might have been Mike Reiter of AT&T Pathserver, but it might
not too, and I wouldn't want to misdirect credit, and a quick search
doesn't turn up the study). At the time, the vast bulk of keys were
connected into one huge web. Here I've stumbled onto three disjoint
backwaters (noting that the signatures were unidirectional on the first
individual's key).
"Get to the point, Greg," I imagine you all saying. OK.
I was an early adopter of PGP, and put a lot of effort into advancing the
Web of Trust. I use PGP actively on a daily basis. Nevertheless, I have
been disillusioned for some time, and today's fun prodded me into writing
this. Here is a list of things which I consider to be problems with "the
PGP Scene":
. PGP might be the easiest crypto package to use, but it's still an order
of magnitude too hard. (See "Why Johnny Can't Encrypt", by Alma Whitten
and Doug Tygar,
http://www.usenix.org/publications/library/proceedings/sec99/whitten.html )
. The keyservers are polluted. My own keys have old, stale email addresses
on them, and no matter how hard I try to keep the current addresses at the
top, sometimes a stale key will come in and reorder them again.
. More keyserver pollution is caused by people signing keys so that PGP
doesn't warn them about using untrusted keys, and then the signatures
"escape" to keyservers somehow. Newer versions try to address this by
making it explicit whether the signature should be exportable or not, but...
. The keyservers are inadequate too. Unless keys appear on them, they don't
help, yet people often don't seem to put their keys there.
. There are disjoint groups of keyservers which don't communicate updates.
. Many of the keys now on the keyservers are only self-signed, and don't
contribute to the Web of Trust at all (except to slow down the keyservers).
This is at least partly an education problem: new users have enough trouble
creating a key, without actually getting connected into the WoT.
. I find that interoperability problems are finally reducing in magnitude
again, but they fragmented the PGP world so badly that important services
were dismantled.
In short, PGP is only useful to me, today, to communicate to a small group
of well informed people who I know personally or through very close mutual
friends. Funnily enough, that is *exactly* where we were nearly 10 years
ago! Has PGP failed?
To answer my own question, I don't think it has failed. It very much helped
to awaken and mobilise the public, and I *do* use it a lot. But it hasn't
really succeeded either. There is a lot more work to be done yet. I blame
it on PKI.
Greg.
Greg Rose INTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9181-4851 FAX: +61-2-9181-5470
Suite 410, Birkenhead Point, http://people.qualcomm.com/ggr/
Drummoyne NSW 2047 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C