Re: Revoking Old Lost Keys
At 7:07 AM 1/6/96, Bruce Baugh wrote:
I'd like to bring up a problem I haven't seen addressed much yet, and which I think is going to come up with increasing frequency as PGP use spreads.
The problem is this: how can one spread the word that an old key is no longer to be used when one no longer has the pass phrase, and cannot therefore create a revocation certificate?
Basically, you are screwed. Any revocation you attempt will not be trusted, as we will suspect the new "you" to be an attacker, perhaps an agent of the NSA or the Illuminati. In the view that "you are your key," the old you no longer exists. Perhaps you could just move to a different city, change your name, and create a new key. (However, be sure you write down your passphrase and other salient information to handle your next memory loss.)
In my case the problem is medical: thanks to autoimmune problems, I get random memory loss from time to time. Sometimes it's big - like an entire semester of my sophomore year of college. Sometimes it's small - like three old pass phrases. So there are keys of mine floating around the key servers that I don't want used, and which are just taking up space.
Pardon me for being politically incorrect (*), but anyone who has these sorts of memory lapses should certainly write down the passphrases! While it is true that writing down a passphrase increases the risk slightly that a black bag operative will sneak into one's house and use his Minox to record the passphrases, in practice this is a minor risk. Especially compared to the immediate risk of losing or forgetting the passphrase. (* I said I was being "politically incorrect" because I've found that people these days don't want their defects and weaknesses commented upon by others, even when they mention them themselves. Thus, cripples don't want anyone to comment on their handicaps, and so on. Someone on this list with "Multiple Personality Disorder" got mightily offended when someone else mentioned MPD in a joking way in a post. Others freak out at innocent remarks, seeing their own demons.) So, if you are losing entire semesters worth of memory, you might want to start writing a lot of stuff down. Seriously, this is an example where "escrow" works. Seal an envelope with your passphrase and any other stuff you want to remember, and leave it with your lawyer or escrow agency with instructions to only turn it over to you. Same as a safe deposit box, unless you forget the key. (You could forget you have a lawyer, so better write that down somewhere, too.) I've not forgotten my PGP passphrase, but then I've only had one PGP key in the last several years and I've written a note to myself someplace which describes what the passphrase is in terms I think would only be meaningful to me. Not fully secure, but nothing really is. And secure enough. If you've had several keys in several years, and yet you are risk of forgetting entire semesters, maybe you ought to think about whether encryption is all that necessary for you. (I rarely see the need to encrypt, even as I cherish the ability and present right to encrypt, so I naturally wonder what it is all these people who seem to be encrypting nearly every private message they send are really concerned about....just my opinion.) I hope all turns out well, and I hope my candid answers to your questions are not too politically incorrect. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
Timothy May wrote:
At 7:07 AM 1/6/96, Bruce Baugh wrote:
I'd like to bring up a problem I haven't seen addressed much yet, and which I think is going to come up with increasing frequency as PGP use spreads.
The problem is this: how can one spread the word that an old key is no longer to be used when one no longer has the pass phrase, and cannot therefore create a revocation certificate?
Basically, you are screwed. Any revocation you attempt will not be trusted, as we will suspect the new "you" to be an attacker, perhaps an agent of the NSA or the Illuminati. In the view that "you are your key," the old you no longer exists.
...
Seriously, this is an example where "escrow" works. Seal an envelope with your passphrase and any other stuff you want to remember, and leave it with your lawyer or escrow agency with instructions to only turn it over to you. Same as a safe deposit box, unless you forget the key. (You could forget you have a lawyer, so better write that down somewhere, too.)
Escrow is orthogonal to the underlying problem here, which is that the PGP revocation model is completely wrong. Since the trust properties and other semantics of a key originate with the certificates attached to the key, and not from the key owner per se, it makes little sense to make the key owner responsible for revoking that trust. Far more sensible would be a scheme in which the certificate issuers themselves could revoke their certificates when they believe a key is no longer trustworthy. (A practical decentralized system like PGP could provide a facility for certifiers to "pre-revoke" their certificates at the time they are issued so that the key owner could distribute the revocation certificates himself if he discovers his own key to have been compromised or lost.) Note that the problem here is in the basic trust model, not just the certificate distribution model (which is a separate problem). The lack of ability for a certifier to revoke his own certification, plus the lack of a facility to put limits on the duration and meaning of the certification, make PGP certificates of very limited practical value. -matt
Note that the problem here is in the basic trust model, not just the certificate distribution model (which is a separate problem). The lack of ability for a certifier to revoke his own certification, plus the lack of a facility to put limits on the duration and meaning of the certification, make PGP certificates of very limited practical value.
Isn't the last bit here, the part about duration and meaning, the practical answer to the problem? Especially duration? The stuff that's been going on lately with Netscape's browsers, Sameer's apache ssl server, and the difficulty of getting CAs like verisign to approve keys underscores the importance of this issue. This is probably sort of half-baked, but is it possible to come up with a formal grammar that would allow us to describe trust models in general? What if we had a prolog-like system that allowed you to set up rules like: "x is a student if x has got a signature from a school" "x is a school if x has got a signature from the accredation authority" "x belongs to the secret society of x has signatures from 3 other people who have belonged to the society for more than a year, and if x is a certified owner of a duck." Wouldn't something like this give us the flexibility to use a PGPish model of trust or an X.509ish model, or whatever else we wanted to do? It seems to me that the rules that govern when you can accept which signature ought to be data objects in a more flexible system, just as the signatures themselves are data objects. That means that the rules themselves ought to be subject to change, revokation, or revision. The constitution wouldn't have survived if it didn't contain a mechanism for ammendment. Wouldn't a model of trust with the same ability for revision and extension be a lot more robust, and a lot more resistent to centralized control?
Note that the problem here is in the basic trust model, not just the certificate distribution model (which is a separate problem). The lack of ability for a certifier to revoke his own certification, plus the lack of a facility to put limits on the duration and meaning of the certification, make PGP certificates of very limited practical value.
Isn't the last bit here, the part about duration and meaning, the practical answer to the problem? Especially duration?
The stuff that's been going on lately with Netscape's browsers, Sameer's apache ssl server, and the difficulty of getting CAs like verisign to approve keys underscores the importance of this issue.
This is probably sort of half-baked, but is it possible to come up with a formal grammar that would allow us to describe trust models in general? What if we had a prolog-like system that allowed you to set up rules like:
"x is a student if x has got a signature from a school" "x is a school if x has got a signature from the accredation authority" "x belongs to the secret society of x has signatures from 3 other people who have belonged to the society for more than a year, and if x is a certified owner of a duck."
Wouldn't something like this give us the flexibility to use a PGPish model of trust or an X.509ish model, or whatever else we wanted to do?
It seems to me that the rules that govern when you can accept which signature ought to be data objects in a more flexible system, just as the signatures themselves are data objects. That means that the rules themselves ought to be subject to change, revokation, or revision.
The constitution wouldn't have survived if it didn't contain a mechanism for ammendment. Wouldn't a model of trust with the same ability for revision and extension be a lot more robust, and a lot more resistent to centralized control?
Indeed, I agree that's the right approach. In fact, I agree so much that I've spent the last few months (with Joan Feigenbaum and Jack Lacy) developing the principles and structure for just such a "trust management" system. Watch this space for details of our system, called "PolicyMaker", which I expect to release a paper about shortly and a reference implementation around April or May. -matt
participants (3)
-
Alex Strasheim -
Matt Blaze -
tcmay@got.net