Newsgroups: sci.crypt Subject: Re: Announcement: Mac Crypto Interface Project I thought I would forward this to try and provoke discussion: ++++ In article <199405140507.AAA23861@indial1.io.com>, Terry Ritter <ritter@indial1.io.com> wrote:
In <strnlghtCpr6DE.7C6@netcom.com> strnlght@netcom.com (David Sternlight) writes:
[...] Thus PGP will either have to be modified to conform to the PEM Certification heirarchy, Apple will have to add web-of-trust provisions to Digisign and ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ the core system utilities, or PGP Mac users will have to generate their key pairs for PGP separately and use them separately from their certified AOCE key pair used to sign and authenticate.
[...] Ripem may shortly be adding the new "web-of-trust" addendum to the RFC on ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ PEM certificates. Whether Apple will do so or not remains to be seen. ^^^^^^^^^^^^^^^^
I am aware of no formal analysis of "web-of-trust" as a secure cryptographic protocol. Strangely, sci.crypt has held many huge discussions on the strength of RSA and IDEA, but few if any on the relative difficulty of defeating "web-of-trust."
Failure of "web-of-trust" to identify a "spoofed" invalid key leaves the PGP design open to "man-in-the-middle" attack. While many consider such attack unlikely, I wonder just how unlikely this cheap and easy method would be when compared to the capital and time required to attack even a 512-bit RSA key. Note that the Network itself seems almost the ideal resource for the automatic re-routing of messages needed in such an attack. [...] "Web-of-trust" is almost certainly the weakest part of the PGP design. [...]
One of the biggest problems I see with the web of trust in PGP, at least in the MAC version, is the difficulty in verifying signed messages. It's just too complicated to be done on a regular basis. This is why it is easy to forge usenet messages now-a-days on the net, no one checks. The other flaw here is characterizing the web-of-trust as a secure cryptograhpic protocol for your analysis. Indeed the social aspects of the web-of-trust model are what your really referring to. If a messages is signed by me, and the signature checks out, the public key having been verified by some physical exchange or a trusted key signature, validity is no longer a cryptographic question. There is little doubt that the message was: 1> Signed by the public key in question. 2> Not altered since. The real question is does the key belong to who it claims to belong to, and has it been compromised? This is a social question, and makes key signatures a shade and not a bit (on/off black/white) question. It now comes down to judgements about the key management practices of the user, and the key signature policy of the key certifiers. A key certificate is not really a cold "certificate of authenticity," it is a voucher, and it's only as good as the authority it comes from. The reason I prefer this over a centralized system is because the potential for compromise of the thousand potential signators on the net is minimal. Because a central authority takes each potential certification application as a blank slate, it has basic unreliabilities that to me are more disturbing. All it takes to compromise a central authority is a forged identification document. If you've been to college you know this is a joke, if you live in LA you have more experience. Why this is more trustworthy than several signatures from diverse, respected net or other personalities is beyond me. What's wrong with the web of trust right now is that it takes a boolean approach to a non-boolean process. Signatures should instead bear some qualifying information, like "know personally" or "physical exchange of key information" or "life long friend." In addition I would like to see a reputation signature as well, a signature that says "not only is this a person who I know personally, but I respect this person's judgement and perspective in intellectual matters." This in conjunction with the strong signature method would make the web-of-trust model much more effective. Regardless, the greater problem is transparency of operation. Once that is accomplished, it will be a trivial matter for forged usenet posts to be rebuked by readers realtime. In short, you need to ask not just: "Is it signed." But: "Is it signed by a public key bearing a key certificate from a user I trust to make good decisions." -uni- (Dark)