Re: WoT question - policy
On Fri, 16 Nov 2018 18:47:05 +0100, Stefan Claas wrote: > > But i fail to see what any of this has to do with minors > > specifically (surely the good guidance applies after reaching the > > age of majority as well), or how law enforcement happened to sneak > > in at the end there. I suspect you're imagining some specific > > scenario that i don't know about, but i don't know what it is or > > how it relates to OpenPGP certification. > > While minors are usually smarter (or they think their are) than their > parents my thought is/ was to create a policy which shows clearly > that i try to do a proper verification, give a sig level to do my > best. In case something could happen i can show a postcard. > > I mean why do we have the possibility for a WoT verification > with it's sig levels? If i issue a sig0 that could mean i don't like > to tell because if have something to hide to the public WoT public or > i cheat. Sure if people use other policies or none they could do > the same for level 2 and 3 :-( Sorry for the late reply I like to give a (fictitious) example. A person with bad things in mind could theoretically use anonymous email services via Tor or Remailer Services via Tor, with a proper looking name used in his/her email/nym address. I believe that a lot of people do not care to much from what domain an email arrives, as long as the email is not spam. With my approach there is a postcard. With the currently used validation model people would have a hard time to find the bad person, in case he / she would abuse the WoT. Regards Stefan -- https://www.behance.net/futagoza https://keybase.io/stefan_claas pgpgoHvKLfilo.pgp Description: Digitale Signatur von OpenPGP ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WoT question - policy
On Fri, 16 Nov 2018 11:31:35 -0500, Daniel Kahn Gillmor wrote: > On Fri 2018-11-16 17:00:33 +0100, Stefan Claas wrote: > > I understand your points, but like to point out my view of sig0 > > and why i think it is not good and why i wrote a policy that way. > > I think you're talking about this: > > > With the sig0 approach i have the following problem: I could > > create a couple of fake keybase accounts, for example, give each > > other a sig0 and then what is this good for if i follow the advise > > from the blog and what trust should a third party gain from this > > many sig0 on such a key? > > I confess i do not understand what this has to do with sig0. Surely > the same "attack" can be mounted via sig2? I also don't know what > "advise from the blog" means, and i don't think the word "trust" in > the final question is well-defined -- what third party gains what > kind of trust?. Sorry to be so dense! O.k. before i try to explain what i mean i like to ask why do we have, or need a Web of Trust and what is it good for? You are a well respected community member, i assume. For me it would be enough if your key bears no sigs. If i would like to communicate with you i only need to be sure that the fingerprint matches, when downloading your key from your web site. Same imho applies if i would be an activist and would like to communicate with EFF for example. I download the key from their site and encrypt to them. Now, since we have PGP and GnuPG with the Web of Trust and its sig levels you make your points on your blog. I understand, as non-native Englisch speaker that i or someone else should think about to consider to use sig level 0. With my humble approach i avoid sig level 0 and also try with sig2 level and sig3 to do my best to avoid any surprises due to the fact that i like to use a postcard / letter method for verification, so that a third party or the requester know there is some documentation (the postcard) available. If we had certified CA's globally, like Governikus, and they would do cross certifications, PGP or GnuPG would not need all those sig levels, every user would be properly registered if he / she likes to do so and there would be no need for an extensive explanation in the manual nor a discussion about sig levels, policies and what not. Everybody is still free, in case of not trusting Governmental institutions and use PGP / GnuPG the classic way. > In response to the situation i *think* you're describing, i'd say: > >If you rely on mere quantity of any type of certification from >parties you cannot identify and have no clear reason to trust, then >you are open to a trivial Sybil attack. >[https://en.wikipedia.org/wiki/Sybil_attack] Yes. > >> Keep it simple. (or, don't bother) > > > > Agreed, use X.509... ;-) > > eh? I have never said (and would never say) that X.509 is "simple". > it's grossly overcomplicated for what it's typically used for, even > worse than OpenPGP. This was more a joke, but i must admit (i own a classII and classIII X.509 certificate) and in combination with Thunderbird there is no learning phase and it's quite simple to use and you have the assurance that the name and email belongs to that person you are communicating with, without consulting a manual etc. > > (disagree, see my point when it comes to Protection of Minors) > > I think you're referring to this part of > https://stefan_claas.keybase.pub/policy.txt: > > > ***Protection of minors*** > > > > While there is no law, as far as i know, which says you are only > > allowed to use strong encryption tools if you are an adult i like > > to point out one thing which parents or young teenagers, brand new > > to PGP / GnuPG and the Web of Trust, must understand. > > > > The word trust does *not* mean: Hey, this is a cool girl or guy, i > > can trust, because he/she uses PGP/GnuPG and has signatures on > > his/her public key. It simply means that it publicity states that > > "someone" has somehow attested that the public key belongs to that > > "person". > > > > Therefore i strongly advise parents and young teenagers to backup > > the secret key, *including the passphrase* written on a piece of > > paper. Deposit them in a safe place. Backup your communications and > > encrypt to yourself. Should something happen law enforcement is > > then able to read the messages. > > The middle paragraph is exactly the point i was making in my earlier > mail -- definitely agree. :) :-) > But i fail to see what any of this has to do with minors specifically > (surely the good guidance applies after reaching the age of majority > as well), or how law enforcement happened to sneak in at the end > there. I suspect you're imagining some specific scenario that i > don't know about, but i don't know what it is or how it relates to > OpenPGP certification. While minors are usually smarter (or they think their are) than their parents my thought is/ was to create a policy whi
Re: WoT question - policy
On Fri 2018-11-16 17:00:33 +0100, Stefan Claas wrote: > I understand your points, but like to point out my view of sig0 > and why i think it is not good and why i wrote a policy that way. I think you're talking about this: > With the sig0 approach i have the following problem: I could create > a couple of fake keybase accounts, for example, give each other a > sig0 and then what is this good for if i follow the advise from the > blog and what trust should a third party gain from this many sig0 on > such a key? I confess i do not understand what this has to do with sig0. Surely the same "attack" can be mounted via sig2? I also don't know what "advise from the blog" means, and i don't think the word "trust" in the final question is well-defined -- what third party gains what kind of trust?. Sorry to be so dense! In response to the situation i *think* you're describing, i'd say: If you rely on mere quantity of any type of certification from parties you cannot identify and have no clear reason to trust, then you are open to a trivial Sybil attack. [https://en.wikipedia.org/wiki/Sybil_attack] >> Keep it simple. (or, don't bother) > > Agreed, use X.509... ;-) eh? I have never said (and would never say) that X.509 is "simple". it's grossly overcomplicated for what it's typically used for, even worse than OpenPGP. > (disagree, see my point when it comes to Protection of Minors) I think you're referring to this part of https://stefan_claas.keybase.pub/policy.txt: > ***Protection of minors*** > > While there is no law, as far as i know, which says you are only allowed > to use strong encryption tools if you are an adult i like to point out > one thing which parents or young teenagers, brand new to PGP / GnuPG and > the Web of Trust, must understand. > > The word trust does *not* mean: Hey, this is a cool girl or guy, i can trust, > because he/she uses PGP/GnuPG and has signatures on his/her public key. It > simply > means that it publicity states that "someone" has somehow attested that the > public > key belongs to that "person". > > Therefore i strongly advise parents and young teenagers to backup the secret > key, *including the passphrase* written on a piece of paper. Deposit them in > a > safe place. Backup your communications and encrypt to yourself. Should > something > happen law enforcement is then able to read the messages. The middle paragraph is exactly the point i was making in my earlier mail -- definitely agree. :) But i fail to see what any of this has to do with minors specifically (surely the good guidance applies after reaching the age of majority as well), or how law enforcement happened to sneak in at the end there. I suspect you're imagining some specific scenario that i don't know about, but i don't know what it is or how it relates to OpenPGP certification. Regards, --dkg signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WoT question - policy
On Fri, 16 Nov 2018 08:03:09 -0500, Daniel Kahn Gillmor wrote: > On Thu 2018-11-15 23:41:32 +0100, Stefan Claas wrote: > > or if i sign with sig0 a key on a key signing party, where i also > > don't know that the person who attended is a good or bad person > > OpenPGP identity certifications ("keysignings") make no claims one way > or the other about a person's moral character. > > Such a certification is simply an assertion that the person holding > the indicated identity also controls the corresponding cryptographic > key material. > > This kind of confusion is exactly why i think cert-levels are a > "solution" in search of a problem. People already find it hard enough > to reason about a distributed network of identity assertions (the "web > of trust") *without* having to factor in certification levels. I understand your points, but like to point out my view of sig0 and why i think it is not good and why i wrote a policy that way. > Keep it simple. (or, don't bother) Agreed, use X.509... ;-) (disagree, see my point when it comes to Protection of Minors) Regards Stefan -- https://www.behance.net/futagoza https://keybase.io/stefan_claas pgpoc8V0bkknI.pgp Description: Digitale Signatur von OpenPGP ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WoT question - policy
On Thu 2018-11-15 23:41:32 +0100, Stefan Claas wrote: > or if i sign with sig0 a key on a key signing party, where i also don't > know that the person who attended is a good or bad person OpenPGP identity certifications ("keysignings") make no claims one way or the other about a person's moral character. Such a certification is simply an assertion that the person holding the indicated identity also controls the corresponding cryptographic key material. This kind of confusion is exactly why i think cert-levels are a "solution" in search of a problem. People already find it hard enough to reason about a distributed network of identity assertions (the "web of trust") *without* having to factor in certification levels. Keep it simple. (or, don't bother) --dkg signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WoT question - policy
On 16.11.2018 00:40, Dirk Gottschalk via Gnupg-users wrote: > There's documentation about the trustdb. I read it a while ago, but not > entirely. You can also set the amount of needed signatures for the > trust calculations and so on. Then comes the trust deepness into play. > I also have to read further because I want to "abuse" GnuPG for an > email controlled bot system inside a bigger company as part of the > security concept. The commands shall be encrypted and signed and some > function should be usable by "unknown" users with the needed trust > level and so on. For people interested these two articles by Konstantin Ryabitsev go into details of how things are calculated: https://www.linux.com/learn/pgp-web-trust-core-concepts-behind-trusted-communication https://www.linuxfoundation.org/blog/2014/02/pgp-web-of-trust-delegated-trust-and-keyservers/ In may be initially hard to digest but the amount of knowledge these articles are packed is unparalleled, and, actually there are no other resources on this subject I could find (GnuPG manual has a description but IMHO Konstantin's more clear). As for the sigs, sig1 are ignored in GnuPG by default, everything else has the same value. So if Stefan's friends trust his key fully, all keys he's signed will be equally valid. On the other matter I doubt anyone would have a serious problem by signing someone else's key regardless of circumstances. Signing documents, maybe, as that would qualify as an Advanced Electronic Signature but signing (certifying) keys? They are technically similar but that's all. Kind regards, Wiktor -- https://metacode.biz/@wiktor ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users