Re: reflecting on PGP, keyservers, and the Web of Trust
lcs Mixmaster Remailer wrote: This is in contrast to the practice in the X.509 PKI, where a root CA has the ability to delegate trust as far as it wishes. This is not correct. In X.509 it is the verifier that defines how that is accepted and to how many levels, irrespective of what was signed. The contrast is not true for PGP either. A signer in PGP may sign any number of keys that may have a transitive relationship to one another' signatures as far as the signer wishes -- what the verifier does (as in X.509) is another story. If your browser trusts Verisign, and Verisign trusts someone else, you automatically trust that other party. Depends on the browser. This is not a requirement or feature of X.509, though often so confused. For an example where it is not, see Apache. Cheers, Ed Gerck
Re: reflecting on PGP, keyservers, and the Web of Trust
A common misconception about the PGP web of trust is that trust flows through the web along the signatures. Actually, PGP's trust model is founded on the principle that "trust isn't transitive". A signature is never trusted in PGP unless the user has explicitly indicated that he personally trusts the signer. (The new NAI versions of PGP do have an exception in that the user can mark a signer as a "meta introducer" allowing trust to flow an extra step.) This is in contrast to the practice in the X.509 PKI, where a root CA has the ability to delegate trust as far as it wishes. If your browser trusts Verisign, and Verisign trusts someone else, you automatically trust that other party. What does flow along PGP's "web of trust" is validity of name-key bindings. You know and trust Alice, so you sign her key and mark it as trusted. Alice signs Bob's key. Since you trusted her, you now have confidence that this is in fact Bob's key. You know this is Bob's key, but that doesn't mean you automatically trust it to issue key signatures. This is a separate decision you make, based on your knowledge of Bob's character and qualities. If you do trust him, you mark his key as trusted. Bob now signs Carol's key. You can make a similar determination of whether Carol is trustworthy. If she is, you will then trust the signatures she has made. You can end up with a chain of Alice-Bob-Carol-David, and determine that you know David's key. The only key you had to explicitly verify was Alice's. But you had to determine for yourself whether you choose to trust Alice, Bob, and Carol, in order for this chain to confer validity on David's key. Trust models make a distinction between the question of whether a certificate (name-key binding) is true and accurate, and the question of whether a key holder is trusted to issue certificates (key signatures). X.509 and PGP both distinguish these uses, although they do so in slightly different ways. In X.509, the certificate issuer (key signer) decides whether to delegate trust. In PGP, the verifier (end user) decides which keys are trustworthy. People unfamiliar with the issues of cryptographic trust models often do not clearly distinguish these two concepts, which is unfortunate and leads to much confusion.
Re: reflecting on PGP, keyservers, and the Web of Trust
At 9:01 AM -0700 9/3/00, David Honig wrote: I didn't make myself clear. I meant that PGP is perfectly useful *without any keyservers*. I am in *favor* of people not publishing their keys, except maybe if you were a business and *wanted* cold-calls [1]. Sort of like a front-office line and a private back line. [1] or access and ownership of the keyserver were limited (think corporate online phone directory) I can think of one time I was very glad my public key was up on a key server. I had a freshly installed PGP on a machine at work, and I had some confidential information I needed to send to myself at home. I downloaded my public key from the key server, and was faced with the need to verify it. I looked thru my pockets, and no key fingerprint. (I really need new business cards.) But I did find one of Carl Ellison's cards with his key's fingerprint. Since he had signed my key, the trust equation was, "Do I trust Carl to introduce me to myself." Having decided that Carl was indeed trustworthy in these circumstances, I proceeded to use the key. Grin - Bill - Bill Frantz | Microsoft Outlook, the | Periwinkle -- Consulting (408)356-8506 | hacker's path to your | 16345 Englewood Ave. [EMAIL PROTECTED] | hard disk. | Los Gatos, CA 95032, USA
Re: reflecting on PGP, keyservers, and the Web of Trust
At 08:45 AM 9/4/00 +0200, Jaap-Henk Hoepman wrote: What's wrong with the PGP wrappers for Outlook or Eudora? They looked quite usable and user friendly to me - as far as any secure email product could ever be completely be user friendly... The user has to do more stuff than usual, and has to have some understanding of what is going on in order to judge whether his/her security requirements have been met. There are some things they're good at; others that they're not. If you've already got somebody's public keys in your keyring, the Eudora versions work fine. If not, then you need to fetch and verify the key somehow - they're not so good at that. Older versions of the Eudora implementation are good at processing keys included in messages into your keyring, but are useless at verifying signatures on signed messages when the only copy of the key you have is in the message itself. I've recently installed 6.5.8 (still Eudora 3.x), and it's improved a bit, but I haven't tested it extensively. Thanks! Bill Bill Stewart, [EMAIL PROTECTED] PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
Re: reflecting on PGP, keyservers, and the Web of Trust
On Wed, Sep 06, 2000 at 11:50:17AM -0400, Derek Atkins wrote: Ray Dillinger [EMAIL PROTECTED] writes: I have long felt that PGP missed a trick when it didn't have automatic expiry for keys -- It should be possible to build into each key an expiration date, fixed at the time of its creation. For shorter keys, it ought to default to expiring sooner, and not allow expiry more than a year or two out. For a 2048 bit key, it ought to default to something like 10 years and let you pick a term up to a century. Actually, PGP has always had a key expiry time, even as long ago as PGP 2.0 (maybe even longer). The only problem is that it defaults to '0', which means 'no expiry'. This is not the only problem. The other problem is that, while in the previous PGP data format key expiry times used to be in the part of the key that is hashed for key signing, in the latest key format they are only present in self-signatures. Third-party key certifications in version 4 signature format do not cover the expiry time, thus the expiry time is pretty much worthless as a countermeasure against key compromise -- after all, an attacker who knows the key can easily issue a new self-signature with an updated validity period. To prevent this protocol error from doing harm, the software used for key certification should make sure that whenever a key having an expiry time is signed, the certifying signature should get a signature validity period that extends into the future no farther than justified by the (current) key validity period. -- Bodo Möller [EMAIL PROTECTED] PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036
Re: reflecting on PGP, keyservers, and the Web of Trust
If you sign the revocation certificate in the compromised key, then the only way it can get revoked is if the owner of the key revokes it or it's been compromised... _MelloN_
Re: reflecting on PGP, keyservers, and the Web of Trust
Ray Dillinger wrote: On Tue, 5 Sep 2000, David Honig wrote: The more hard-core distribute keys to previously known parties on physical media, only. I have long felt that PGP missed a trick when it didn't have automatic expiry for keys -- It should be possible to build into each key an expiration date, fixed at the time of its creation. For shorter keys, it ought to default to expiring sooner, and not allow expiry more than a year or two out. For a 2048 bit key, it ought to default to something like 10 years and let you pick a term up to a century. This would solve one of the biggest problems -- old keys that should long since have expired but which go right on getting used. ftp://ftp.ietf.org/internet-drafts/draft-brown-pgp-pfs-01.txt Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/
Re: reflecting on PGP, keyservers, and the Web of Trust
I'm still far from convinced that the Web of Trust achieves what it's supposed to achieve, even when used correctly. Consider this question: what do you need to know about a person in order to feel confident that they are the intended recipient of your secure communication? Because I bet the answer is hardly ever "their legal name". I recently exchanged some email with a Ruediger Weis I met at a conference. When verifying his signature, I wanted to be sure that it was sent by the person I met. It would *not* have satisfied me to know that it was sent by someone of that name, since there are probably hundreds of people with that name. And conversely, I don't actually care if that's his real name - his real legal name can be Jurgen Schmidt for all I care. I used the business card he beamed me to check out his PGP fingerprint, and could therefore be confident that I was corresponding with the person I met. If you use this technique, make sure it's difficult to plant business cards into your pockets. I know that the signed information includes an email address as well as a name. I'm ignoring that and everyone else should too - there's no burden on the signer of a key to verify the email address, only the name. I can turn up to a keysigning party with my passport and get my key signed as "Paul Crowley [EMAIL PROTECTED]", because no-one's expected to check that part. I think it appears as an ineffective fix to the problems I'm trying to highlight here. Note that it does make sense to sign your *own* key with your email address, so that once your correspondents decide your key is the right one, they can be confident of which email address to correspond with! I don't think the idea of key signing is fundamentally flawed, but I think we need far more flexibility on what information we bind to a public key. I'd like a way of saying "this is the John Smith that I know, not just any John Smith, and if you've met my friend John Smith then this is his public key". I want to bind photographs to keys. I'd like to say "This is John Smith the famous author", or "This is the John Smith from the famous case Smith v. Justice 1992". Are there any commonplace circumstances where confidence in someone's legal name is enough? -- __ \/ o\ Employ me! Cryptology, security, Perl, Linux, TCP/IP, and smarts. /\__/ [EMAIL PROTECTED]http://www.cluefactory.org.uk/paul/cv/
Re: reflecting on PGP, keyservers, and the Web of Trust
On Tue, 5 Sep 2000, Ted Lemon wrote: If you sign the revocation certificate in the compromised key, then the only way it can get revoked is if the owner of the key revokes it or it's been compromised... _MelloN_ This is true, and that's a *sufficient* condition for a revocation. I don't know about you though, but my keyring exists in only two copies -- the Red Diskette and the Blue Diskette. If someone manages to grab both Diskettes, I won't be able to use the key to issue a revocation certificate. So I would prefer to work with a CA where it is not a *necessary* condition for a revocation. Bear
Re: reflecting on PGP, keyservers, and the Web of Trust
At 10:47 PM 9/5/00 -0400, Dan Geer wrote: I can tell people never to accept an executable mailed to them from anywhere, which will get laughed at by all the people in the business world who... [...who are digging their own graves if they routinely run programs mailed to them, whether or not they laugh at you now. On the positive side, I think my folks see my cautions as less paranoid after they got a virus. Similarly with industry and DDoS attacks, or snarfing credit cards via buffer overflow. Nothing like a publicized catastrophe to increase public awareness, and eventually, vigilance.] dh
Re: reflecting on PGP, keyservers, and the Web of Trust
RFC2440 (OpenPGP) provides for referral revocations -- you can let other people revoke your key on your behalf. -derek Ray Dillinger [EMAIL PROTECTED] writes: On Tue, 5 Sep 2000, Ted Lemon wrote: If you sign the revocation certificate in the compromised key, then the only way it can get revoked is if the owner of the key revokes it or it's been compromised... _MelloN_ This is true, and that's a *sufficient* condition for a revocation. I don't know about you though, but my keyring exists in only two copies -- the Red Diskette and the Blue Diskette. If someone manages to grab both Diskettes, I won't be able to use the key to issue a revocation certificate. So I would prefer to work with a CA where it is not a *necessary* condition for a revocation. Bear -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL N1NWH [EMAIL PROTECTED]PGP key available
Re: reflecting on PGP, keyservers, and the Web of Trust
Ray Dillinger [EMAIL PROTECTED] writes: I have long felt that PGP missed a trick when it didn't have automatic expiry for keys -- It should be possible to build into each key an expiration date, fixed at the time of its creation. For shorter keys, it ought to default to expiring sooner, and not allow expiry more than a year or two out. For a 2048 bit key, it ought to default to something like 10 years and let you pick a term up to a century. Actually, PGP has always had a key expiry time, even as long ago as PGP 2.0 (maybe even longer). The only problem is that it defaults to '0', which means 'no expiry'. So, I'm not convinced that PGP "missed a trick" here, just that it didn't actually use the feature. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL N1NWH [EMAIL PROTECTED]PGP key available
Re: reflecting on PGP, keyservers, and the Web of Trust
At 4:38 PM -0700 9/5/2000, David Honig wrote: At 05:33 PM 9/3/00 -0400, Dan Geer wrote: How do they exchange public keys? Via email I'll bet. Note that it is trivial(*) to construct a self-decrypting archive and mail it in the form of an attachment. The recipient will merely have to know the passphrase. If If you have a secure channel to exchange a passphrase in, you have no need for PK. I don't see any need for self-decrypting archives or passphrases. The public key can be sent un-encrypted. All you need is a trusted, not secure, channel to send the key fingerprint. This channel can have very low bandwidth and need not be electronic. Without key fingerprint verification, the primary attack against an open exchange of public keys is the Man in the Middle. Remember the burden on the Man in the Middle attacker against Bob: 1. The MITM must intercept every key exchange messages that Bob sends or receives and then every message of any sort that Bob sends or receives thereafter. 2. The MITM must be prepared to detect attempts to verify key fingerprints in any message Bob sends or receives. These can involve foreign languages, anagrams, subtle phrasing, steganography, etc. In general this means that all messages must be screened by a well trained human, not automatically. 3. If Bob ever discovers he is being attacked, he can use the MITM to feed false information to his adversary. 4. If the attacker ever decides to stop, Bob will immediately be alerted that something was wrong. I think it is much cheaper and less risky to get one of the party's private key by planting a worm program or bugging their keyboard. At 7:22 PM -0700 9/5/2000, Ed Gerck wrote: PGP is based on an introducer-model which depends on the integrity of a chain of authenticators, the users themselves. The users and their keys are referred from one user to the other, as in a friendship circle, forming an authentication ring, modeled as a list or web-of-trust. The web-of-trust model has some problems, to wit: I would add one more problem with the web-of-trust model: the classic p**n reliability equation. If there is a 90% chance that any given introducer is reliable, then there is only a 34% chance that a chain of 10 introducers is reliable. Would you give even a 90% trust rating to a bunch of strangers? To really work, the web-of-trust requires multiple, independent paths between any two individuals so you can take the "or" of several chains. That level of density is not likely to happen with individuals. On the other hand, PGP does not depend on the he web-of-trust model and I doubt very many people try to use it. I suspect most users find other ways to exchange keys with their friends. As Paul Crowley points out, what exactly does it mean to have trust in a stranger's public key? Arnold Reinhold
Re: reflecting on PGP, keyservers, and the Web of Trust
At 11:14 pm -0400 2000-09-01, Russell Nelson wrote: Ed Gerck writes: Even though the web-of-trust seems to be a pretty good part of PGP, IMO it is actually it's Achilles heel. Nope. Usability is its Achilles heel. PGP needs to be wrapped in something, and yet it's not really designed to be wrapped. Even if it were, PGP, Inc. changed the interface! Doh! And then there's the whole encryption method problem. No, web-of-trust as a problem is way down there on the list. Actually, you're both right (or wrong, if you prefer you glass half-empty ;) it's the poor tools for key management of other people's public keys that is the Achillies heel, especially since the integration with seriously kick-ass keyservers is still not there. Of course, that's also a UI problem, but if you solve it, the ciphersuites (key types) "encryption method" problem lbasically goes away. Transparent key management, guys. Everything is a key management problem from now on. dave
Re: reflecting on PGP, keyservers, and the Web of Trust
At 3:48 PM -0700 9/1/2000, David Honig wrote: At 09:34 AM 8/30/00 -0700, Ed Gerck wrote: BTW, many lawyers like to use PGP and it is a good usage niche. Here, in the North Bay Area of SF, PGP is not uncommon in such small-group business users. How do they exchange public keys? Via email I'll bet. So what if they do? A Man in the Middle attack is difficult to mount and expensive to maintain. It is also easy to detect if the parties ever use out-of-band means to verify keys. I would judge the risk of a MITM attack as much lower than the risk of keys being stolen from the lawyers' computers. I think one reason that the web of trust has not caught on is that there is not much need in the real world for what it offers: the ability for strangers to trust each others' keys. The one exception is in dealings with commercial organizations and the certificate authorities and SSL seem to handle that very well, at least in one direction. Individuals who already know each other have many ways of exchanging and verifying keys without resort to the web of trust. That said, I do think web of trust is an important concept and one that could and should be strengthened. For example, I have managed to sneak my key fingerprint in to my books (in the section where I explain public key cryptography) but I think authors who wish should be allowed and encouraged to do so in a more straightforward way, perhaps on their book's copyright page. If only !0%, say, of computer authors did this, it would build a large pool of people whose keys would be very easy to verify. I'd also encourage PGP users to post their key fingerprint in a publicly accessible place, perhaps in a window near their front door or place of business. Finally, I'd like to see large compilations of key fingerprints published on the web on, say, a quarterly basis. A master fingerprint for these files could then be widely distributed, both on the Internet and using other means such as billboards, display boards in university and public libraries, even blinked out in Morse code from a window in a tall building. (I call this the billboard defense.) An MITM attack requires building an electronic balloon around its victim. A mere pin-prick, like the billboard defense, is all that is needed to burst that balloon. Arnold Reinhold
Re: reflecting on PGP, keyservers, and the Web of Trust
At 09:56 PM 9/2/00 -0400, Arnold G. Reinhold wrote: At 3:48 PM -0700 9/1/2000, David Honig wrote: At 09:34 AM 8/30/00 -0700, Ed Gerck wrote: BTW, many lawyers like to use PGP and it is a good usage niche. Here, in the North Bay Area of SF, PGP is not uncommon in such small-group business users. How do they exchange public keys? Via email I'll bet. So what if they do? A Man in the Middle attack is difficult to mount and expensive to maintain. It is also easy to detect if the parties ever use out-of-band means to verify keys. I would judge the risk of a MITM attack as much lower than the risk of keys being stolen from the lawyers' computers. I didn't make myself clear. I meant that PGP is perfectly useful *without any keyservers*. I am in *favor* of people not publishing their keys, except maybe if you were a business and *wanted* cold-calls [1]. Sort of like a front-office line and a private back line. [1] or access and ownership of the keyserver were limited (think corporate online phone directory)
Re: reflecting on PGP, keyservers, and the Web of Trust
Well put, Greg. I do think that a small circle of trusted friends is a tautology -- if it is not small, it cannot be trusted. Was it not ever thus? --dan
Re: reflecting on PGP, keyservers, and the Web of Trust
How do they exchange public keys? Via email I'll bet. Note that it is trivial(*) to construct a self-decrypting archive and mail it in the form of an attachment. The recipient will merely have to know the passphrase. If transit confidentiality is your aim and old versions of documents are irrelevant once the ink is dry on the proverbial bond paper, this is quite workable and involves no WoT at all, just POTS. --dan * trivial: memorizable by clerks in an all Windows world...
Re: reflecting on PGP, keyservers, and the Web of Trust
On Fri, 1 Sep 2000 23:14:06 -0400 (EDT) Russell Nelson [EMAIL PROTECTED] writes: Ed Gerck writes: Even though the web-of-trust seems to be a pretty good part of PGP, IMO it is actually it's Achilles heel. Nope. Usability is its Achilles heel. PGP needs to be wrapped in something, and yet it's not really designed to be wrapped. Even if it were, PGP, Inc. changed the interface! Doh! And then there's the whole encryption method problem. What's wrong with the PGP wrappers for Outlook or Eudora? They looked quite usable and user friendly to me - as far as any secure email product could ever be completely be user friendly... The user has to do more stuff than usual, and has to have some understanding of what is going on in order to judge whether his/her security requirements have been met. Jaap-Henk -- Jaap-Henk Hoepman | Come sail your ships around me Dept. of Computer Science | And burn these bridges down University of Twente | Nick Cave - "Ship Song" Email: [EMAIL PROTECTED] === WWW: www.cs.utwente.nl/~hoepman Phone: +31 53 4893795 === Secr: +31 53 4893770 === Fax: +31 53 4894590 PGP ID: 0xF52E26DD Fingerprint: 1AED DDEB C7F1 DBB3 0556 4732 4217 ABEF
Re: reflecting on PGP, keyservers, and the Web of Trust
Dave Del Torto wrote: At 11:14 pm -0400 2000-09-01, Russell Nelson wrote: Ed Gerck writes: Even though the web-of-trust seems to be a pretty good part of PGP, IMO it is actually it's Achilles heel. Nope. Usability is its Achilles heel. PGP needs to be wrapped in something, and yet it's not really designed to be wrapped. Even if it were, PGP, Inc. changed the interface! Doh! And then there's the whole encryption method problem. No, web-of-trust as a problem is way down there on the list. Actually, you're both right (or wrong, if you prefer you glass half-empty ;) it's the poor tools for key management of other people's public keys that is the Achillies heel, especially since the integration with seriously kick-ass keyservers is still not there. Of course, that's also a UI problem, but if you solve it, the ciphersuites (key types) "encryption method" problem lbasically goes away. Transparent key management, guys. Everything is a key management problem from now on. I'd be amazed if this is true - I manage vast numbers of files with seriously crap tools - I can't believe I need hugely better tools to manage the relatively small number of public keys I have to deal with. I suspect you only think this because you have to deal with the keyservers more intimately than most of us do. Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/
Re: reflecting on PGP, keyservers, and the Web of Trust
In message [EMAIL PROTECTED], Dan Geer writes: How do they exchange public keys? Via email I'll bet. Note that it is trivial(*) to construct a self-decrypting archive and mail it in the form of an attachment. The recipient will merely have to know the passphrase. If transit confidentiality is your aim and old versions of documents are irrelevant once the ink is dry on the proverbial bond paper, this is quite workable and involves no WoT at all, just POTS. No! We've discussed this point many times before -- what if the attacker sends a Trojan horse executable? --Steve Bellovin
Re: reflecting on PGP, keyservers, and the Web of Trust
At 05:33 PM 9/3/00 -0400, Dan Geer wrote: How do they exchange public keys? Via email I'll bet. Note that it is trivial(*) to construct a self-decrypting archive and mail it in the form of an attachment. The recipient will merely have to know the passphrase. If If you have a secure channel to exchange a passphrase in, you have no need for PK.
Re: reflecting on PGP, keyservers, and the Web of Trust
On Tue, 5 Sep 2000, David Honig wrote: If you have a secure channel to exchange a passphrase in, you have no need for PK. Public key allows digital signatures, which a secure channel for key exchange doesn't provide. Two parties may choose to use symmetric encryption for exchanging messages and agree between themselves to accept any message encrypted with the secret key to be a binding expression - but this method does not prevent Alice from encrytping a message to herself and claiming it came from Bob. Either party can cheat in this way with symmetric key.
Re: reflecting on PGP, keyservers, and the Web of Trust
Ed Gerck wrote: Even though the web-of-trust seems to be a pretty good part of PGP, IMO it is actually it's Achilles heel. I agree with most comments but they seem to deal more with symptons. Let me just clarify/justify the above and why I think this is IMO actually the root cause of problems. PGP is based on an introducer-model which depends on the integrity of a chain of authenticators, the users themselves. The users and their keys are referred from one user to the other, as in a friendship circle, forming an authentication ring, modeled as a list or web-of-trust. The web-of-trust model has some problems, to wit: 1. At the end, you may not know very well the last person who entered the ring ... but you hope that someone else in the ring does! 2. You may have different rings with contact points which guarantee the referrals. However, no user can know for sure if everyone in his authentication ring has a valid entry. 3. Let's use the term chain to denote such connected rings, which can also, of course, have multiple connections. The reader should notice further that the maintenance of this chain -- changing, adding or deleting data -- is done by the authenticators themselves in a happenstance pattern. 4. There is no guarantee if and when the chain is up-to-date. 5. Everyone familiar with the classical problem (or need) of file-locking in a multi-user environment will recognize that there is no file-locking mechanism here. 6. PGPdoes not scale well in size (because of the aforementioned asynchronous maintenance difficulties of the web of trust) or time (because of the same maintenance problems reflected in the certificate of revocation certificates, a CRL for PGP certificates). So, while PGP enforces a "hard" trust policy with trust is intransitive to setup entries in the web of trust, it uses a "soft" policy to upkeep entries, without discussing their validity/gauge or allowing for time factors and lack of synch. This is not a dismissive treatment of PGP! One of the benefits of PGP is that it can interoperate with a CA fully-trusted by all parties in a domain (such as an internal CA in a company) that is willing to guarantee certificates as a trusted introducer. Better tools would certainly be necessary for central administration of PGP trust parameters in a corporate system, but the flexibility of PGP makes it a good example of a quasi-decentralized system. Because there is no entity responsible if (or when) something goes wrong not even the user the use of PGP in a commercial situation is difficult and may not adequately protect the business interests involved. But again, within a circle of close friends or clients this is not important. Cheers, Ed Gerck
Re: reflecting on PGP, keyservers, and the Web of Trust
I said, Note that it is trivial(*) to construct a self-decrypting archive and mail it in the form of an attachment. The recipient will merely have to know the passphrase. If transit confidentiality is your aim and old versions of documents are irrelevant once the ink is dry on the proverbial bond paper, this is quite workable and involves no WoT at all, just POTS. Steve said, No! We've discussed this point many times before -- what if the attacker sends a Trojan horse executable? David said, If you have a secure channel to exchange a passphrase in, you have no need for PK. Correct to both critics. I can, indeed, dictate the 40 page contract that is to be signed tomorrow afternoon over my STU3 telephone, if indeed both parties have one. I can rely on facsimile which is what J. Random Company's legal counsel would otherwise likely do. I can tell people never to accept an executable mailed to them from anywhere, which will get laughed at by all the people in the business world who mail each other so many attachments that it can be truly said that e-mail attachments are the poor man's distributed file system. All true. There is, indeed, nearly no security if one is really and truly serious. What I had hoped to convey was that there was a certain amount of "good" in getting the kinds of documents real businesses exchange under time pressure all day every day to be encrypted at a level of effort that approximates what they would be doing anyway. If the recipient needs no local environment pre-conditions other than the genes to call me up when he gets an attachment that says I demand a passphrase, I think it is in fact fair to say that a cost-effective improvement has been snatched from the jaws of defeat. Maybe, just maybe, if I can train them to think that unencrypted = anomalous we can take a step that matters, like locally installing some software whose miserable usability is proportional to its endorsement by the local security guy. There is nearly nothing I can do to prevent you from stealing my car if you want it way bad, but I sure as hell can make stealing my neighbor's car more attractive than stealing mine. That is risk management. --dan
Re: reflecting on PGP, keyservers, and the Web of Trust
At 10:17 PM 9/5/00 -0400, P.J. Ponder wrote: On Tue, 5 Sep 2000, David Honig wrote: If you have a secure channel to exchange a passphrase in, you have no need for PK. Public key allows digital signatures, A digsig does indeed rely on PK, but you needn't use digsigs to use PK. Digsigs are orthogonal to the confidentiality you get using PK to exchange ephemeral private keys (eg PGP). which a secure channel for key exchange doesn't provide. Two parties may choose to use symmetric encryption for exchanging messages and agree between themselves to accept any message encrypted with the secret key to be a binding expression - but this method does not prevent Alice from encrytping a message to herself and claiming it came from Bob. Either party can cheat in this way with symmetric key. PK lets you send a key via postcard which gives you strong envelopes later. PK's ability to publish (phone book) or sign (digsigs) a key or message are fully independent of PK's ability to let you email a key which remains secure after sending an insecure email. Given Carnivore (tm), 'privately' emailing your public key is spook-equivalent to publishing on a web server, though e.g., using a different PK for each correspondent makes individual emails slightly more difficult to attack. The more hard-core distribute keys to previously known parties on physical media, only. cheers, dh
Re: reflecting on PGP, keyservers, and the Web of Trust
On Tue, 5 Sep 2000, David Honig wrote: The more hard-core distribute keys to previously known parties on physical media, only. I have long felt that PGP missed a trick when it didn't have automatic expiry for keys -- It should be possible to build into each key an expiration date, fixed at the time of its creation. For shorter keys, it ought to default to expiring sooner, and not allow expiry more than a year or two out. For a 2048 bit key, it ought to default to something like 10 years and let you pick a term up to a century. This would solve one of the biggest problems -- old keys that should long since have expired but which go right on getting used. As for the other big problem -- compromise revocations -- The CA's sure as heck ought to propagate compromise certs the same way news articles get propagated, and not allow them to expire until the key they refer to would have expired. There has to be a way to validate a compromise cert though - otherwise someone could kill a key by sending a spurious one to any CA. Once a CA is sure that a compromise cert is valid (by whatever protocol you've worked out with your initial CA, which may include you showing up in person and signing a piece of paper saying the key is dead), it ought to digitally sign the damn thing, and that would begin the propagation process. I guess I'm more a believer in a "web of CA's" than I am in a "Web of Trust", at least as it applies to encryption use in public or in businesses. In a conspiracy, you've got your own CA, and it doesn't necessarily talk to anyone else's, and that's the way it should be. Among Friends, you've got your web of trust, and that's the way it should be. Ray Dillinger
Re: reflecting on PGP, keyservers, and the Web of Trust
Nice note, Greg, thank you. I remember the call to arms of PGP, get the whole world encrypting email. And who can forget Gilmore's Free S/WAN goal, to secure 5% of Internet traffic by the end of 1996? These proclamations were hugely inspirational for me. These efforts helped advance practical cryptography on the net, placed the core ideas of cypherpunkism in the minds of a lot of people architecting apps on the net today. At the same time, many of these pioneering efforts have had a lot less success than their originators had hoped. It's important to examine why, to learn. Personally, I think the problem is some combination of the technical problems being harder than we'd hoped (secure key distribution in particular), and not enough attention paid to user experience design. That, and people are simply slow to change what they do. I note that way back when, someone did an analysis of the connectivity of PGP keys (it might have been Mike Reiter of ATT Pathserver, but it might not too) Neal McBurnett, http://bcn.boulder.co.us/~neal/pgpstat/ He still updates the web page, but the last data is almost 3 years old. It'd be interesting for someone to rerun the analysis now, see how the community has fragmented. My own personal shame - I'm still using a 768 bit RSA key I published 5 years ago and intended to expire 3 years ago. I have other keys and people occasionally send me mail encrypted with them, but I can't decrypt them because I've lost the keys or passphrases. [EMAIL PROTECTED] . . . .. . . . http://www.media.mit.edu/~nelson/ Make your computer useful 24 hours a day: http://www.popularpower.com/
Re: reflecting on PGP, keyservers, and the Web of Trust
Greg Rose wrote: I was an early adopter of PGP, and put a lot of effort into advancing the Web of Trust. I use PGP actively on a daily basis. Nevertheless, I have been disillusioned for some time, and today's fun prodded me into writing this. Here is a list of things which I consider to be problems with "the PGP Scene": I discussed these problems (and others, listed in http://www.mcg.org.br/cert.htm) with the PGP management during two week-long visits a former Director and their security architect made to myself while I was in Brazil in 1997/8. Some of the problems I mentioned have been solved, others have remained. Some solutions are indicated in the cert.htm paper, including the question of central administration with its pros and cons. I think that PGP is a fine program for communication within a small circle of friends but, beyond this which was the initial goal anyway, PGP does not have the capabilities to do the job. However, PGP could be used as a component in a system that would provide for a wider usage scope -- which, however, would require IMO a radical re-design of the web-of-trust. Even though the web-of-trust seems to be a pretty good part of PGP, IMO it is actually it's Achilles heel. BTW, many lawyers like to use PGP and it is a good usage niche. Here, in the North Bay Area of SF, PGP is not uncommon in such small-group business users. Cheers, Ed Gerck
Re: reflecting on PGP, keyservers, and the Web of Trust
At 09:34 AM 8/30/00 -0700, Ed Gerck wrote: BTW, many lawyers like to use PGP and it is a good usage niche. Here, in the North Bay Area of SF, PGP is not uncommon in such small-group business users. How do they exchange public keys? Via email I'll bet. Bitpushing MDs should be another 'good niche' ---but not many shrinks counsel on line (what if someone in an Antarctic station flips out?). I wonder what teleradiologists use.
Re: reflecting on PGP, keyservers, and the Web of Trust
Ed Gerck writes: Even though the web-of-trust seems to be a pretty good part of PGP, IMO it is actually it's Achilles heel. Nope. Usability is its Achilles heel. PGP needs to be wrapped in something, and yet it's not really designed to be wrapped. Even if it were, PGP, Inc. changed the interface! Doh! And then there's the whole encryption method problem. No, web-of-trust as a problem is way down there on the list. -- -russ nelson [EMAIL PROTECTED] http://russnelson.com | Crynwr sells support for free software | PGPok | Damn the firewalls! 521 Pleasant Valley Rd. | +1 315 268 1925 voice | Full connectivity ahead! Potsdam, NY 13676-3213 | +1 315 268 9201 FAX |
