Re: S/MIME and web of trust (was Re: NAI pulls out the DMCA stick)

2002-05-27 Thread Peter Gutmann 

Eric Murray [EMAIL PROTECTED] writes:

Additionally, there is nothing that prevents one from issuing certs that can
be used to sign other certs.  Sure, there are key usage bits etc but its
possible to ignore them.  It should be possible to create a PGP style web of
trust using X.509 certs, given an appropriate set of cert extensions.

I proposed some very simple additions to X.509 which would allow you to use the
certs in the same way as PGP keys a year or two back.  Unfortunately the PKIX
WG chair is about as open to PGP-style additions to X.509 as some PGP people
are towards S/MIME.

(You can also do PGP using X.509 certs, I've been doing that for awhile just
 out of sheer bloody-mindedness :-).

Peter.

Re: S/MIME and web of trust (was Re: NAI pulls out the DMCA stick)

2002-05-25 Thread Adam Back 

On Fri, May 24, 2002 at 04:40:36PM -0700, Eric Murray wrote:
 Additionally, there is nothing that prevents one from issuing certs
 that can be used to sign other certs.  Sure, there are key usage bits
 etc but its possible to ignore them.

The S/MIME aware MUAs do not ignore the trust delegation bit.
Therefore you can not usefully sign other certs with a user grade
certificate from verisign et al.  If you make your own CA key (with
the trust delegation bit set) and self-sign it, S/MIME aware MUAs will
also flag signatures made with it as invalid signatures because your
self-signed CA key is not signed by a CA in the default trusted CA
key database.

 It should be possible to create a PGP style web of trust using X.509
 certs, given an appropriate set of cert extensions.  If Peter can
 put a .gif of his cat in an X.509 cert there's no reason someone
 couldn't represent a web of trust in it.

While it is true that you can extend X.509v3 I don't see how useful it
would be to add a WoT extension until it got widely deployed.
Recipient MUAs will at best ignore your extensions, and worse will
fail on them until support for such an extension is deployed.  I view
the chances of such an extension getting deployed as close to nil.
The S/MIME MUA / PKI library / CA cartel has a financial incentive to
not deploy it -- as they view it as competition to the CAs business.

Adam

S/MIME and web of trust (was Re: NAI pulls out the DMCA stick)

2002-05-24 Thread Eric Murray 

On Fri, May 24, 2002 at 11:17:08AM -0700, [EMAIL PROTECTED] wrote:
 --
 On 23 May 2002 at 0:24, Lucky Green wrote:
  Tell me about it. PGP, GPG, and all its variants need to die
  before S/MIME will be able to break into the Open Source
  community, thus removing the last, but persistent, block to an
  instant increase in number of potential users of secure email by
  several orders of magnitude.
 
 My impression is that S/MIME sucks big ones, because it commits
 one to a certificate system based on verisign or equivalent.

It uses X.509, which is supposed to be a hierarchical certificate system. 
Verisign is just the dominant X.509 CA.

But as others have pointed out, its possible to become one's own X.509
CA and issue oneself certs.  Netscape and IE browsers will accept certs
from completely made up CAs.  You might have to click on a few do you
really want to do this dialog boxes but that's it.  All you need is a
copy of Openssl and directions off a web site..

Additionally, there is nothing that prevents one from issuing certs
that can be used to sign other certs.  Sure, there are key usage bits
etc but its possible to ignore them.  It should be possible to create
a PGP style web of trust using X.509 certs, given an appropriate set of
cert extensions.  If Peter can put a .gif of his cat in an X.509 cert
there's no reason someone couldn't represent a web of trust in it.

Each user would self-sign their cert.  Or self-sign a CA cert and
use that to sign a cert, same thing.  Trust would be indicated
by (signed) cert extensions that indicate I trust Joe Blow X amount as
a signer of keys.  Each time you added a trust extension you would
generate a new cert using the same key.  Each trust extension would
indicate the entity, their key id (hash of public key), and the degree of
trust.  When you added a trust extension you'd give a copy of the enw
cert to the entity you just added.  They can then append these
certs onto their cert when they authenticate to someone.

When authenticating, you verify the other guys cert, something he signed
with his private key, then all the other people's certs that he sends
in addition to his own, all of which attest to his trustworthiness.
Ideally, you also trust some of the same people, so you now have their
signed statements attesting to a degree of trust in the new guy.
[note, there's probably a conceptal flaw in this since  I'm loopy from
allergy drugs today and probably not thinking as clearly as I think I
am, so be polite when you point out my error.  In any case, the point
is that its possible to do a web of trust in x.509, not that I have a
fully formed scheme for implementing it]

Since all this is in X.509, S/MIME MTAs accept it (unless they are
programmed to not accept self-signed CAs, in which case your MTA is a
slave to Verisign et. al).  You'd need an external program to verify the
web of trust, but that's about it.  And to be honest, exactly zero of the
PGP exchanges I have had have actually used the web of trust to really
verify a PGP key.  I've only done it in testing.  In the real world,
I either verify out of band (i.e. over the phone) or don't bother if
the other party is too clueless to understand what I want to do and getting
them to do PGP at all has already exausted my paticnce.


But why bother?

Even if I could do this X.509 web of trust tomorrow, no one besides a
few crypto-geeks would use it.  People just don't give a shit about other
people reading their email.  Most people can't even be bothered to use
a decent password or shred their credit-card statements.  Only criminals
have anything to hide, right?


--
Eric