Forward of sci.crypt web of trust.
Newsgroups: sci.crypt Subject: Re: Announcement: Mac Crypto Interface Project I thought I would forward this to try and provoke discussion: ++++ In article <199405140507.AAA23861@indial1.io.com>, Terry Ritter <ritter@indial1.io.com> wrote:
In <strnlghtCpr6DE.7C6@netcom.com> strnlght@netcom.com (David Sternlight) writes:
[...] Thus PGP will either have to be modified to conform to the PEM Certification heirarchy, Apple will have to add web-of-trust provisions to Digisign and ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ the core system utilities, or PGP Mac users will have to generate their key pairs for PGP separately and use them separately from their certified AOCE key pair used to sign and authenticate.
[...] Ripem may shortly be adding the new "web-of-trust" addendum to the RFC on ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ PEM certificates. Whether Apple will do so or not remains to be seen. ^^^^^^^^^^^^^^^^
I am aware of no formal analysis of "web-of-trust" as a secure cryptographic protocol. Strangely, sci.crypt has held many huge discussions on the strength of RSA and IDEA, but few if any on the relative difficulty of defeating "web-of-trust."
Failure of "web-of-trust" to identify a "spoofed" invalid key leaves the PGP design open to "man-in-the-middle" attack. While many consider such attack unlikely, I wonder just how unlikely this cheap and easy method would be when compared to the capital and time required to attack even a 512-bit RSA key. Note that the Network itself seems almost the ideal resource for the automatic re-routing of messages needed in such an attack. [...] "Web-of-trust" is almost certainly the weakest part of the PGP design. [...]
One of the biggest problems I see with the web of trust in PGP, at least in the MAC version, is the difficulty in verifying signed messages. It's just too complicated to be done on a regular basis. This is why it is easy to forge usenet messages now-a-days on the net, no one checks. The other flaw here is characterizing the web-of-trust as a secure cryptograhpic protocol for your analysis. Indeed the social aspects of the web-of-trust model are what your really referring to. If a messages is signed by me, and the signature checks out, the public key having been verified by some physical exchange or a trusted key signature, validity is no longer a cryptographic question. There is little doubt that the message was: 1> Signed by the public key in question. 2> Not altered since. The real question is does the key belong to who it claims to belong to, and has it been compromised? This is a social question, and makes key signatures a shade and not a bit (on/off black/white) question. It now comes down to judgements about the key management practices of the user, and the key signature policy of the key certifiers. A key certificate is not really a cold "certificate of authenticity," it is a voucher, and it's only as good as the authority it comes from. The reason I prefer this over a centralized system is because the potential for compromise of the thousand potential signators on the net is minimal. Because a central authority takes each potential certification application as a blank slate, it has basic unreliabilities that to me are more disturbing. All it takes to compromise a central authority is a forged identification document. If you've been to college you know this is a joke, if you live in LA you have more experience. Why this is more trustworthy than several signatures from diverse, respected net or other personalities is beyond me. What's wrong with the web of trust right now is that it takes a boolean approach to a non-boolean process. Signatures should instead bear some qualifying information, like "know personally" or "physical exchange of key information" or "life long friend." In addition I would like to see a reputation signature as well, a signature that says "not only is this a person who I know personally, but I respect this person's judgement and perspective in intellectual matters." This in conjunction with the strong signature method would make the web-of-trust model much more effective. Regardless, the greater problem is transparency of operation. Once that is accomplished, it will be a trivial matter for forged usenet posts to be rebuked by readers realtime. In short, you need to ask not just: "Is it signed." But: "Is it signed by a public key bearing a key certificate from a user I trust to make good decisions." -uni- (Dark)
-----BEGIN PGP SIGNED MESSAGE-----
Regardless, the greater problem is transparency of operation. Once that is accomplished, it will be a trivial matter for forged usenet posts to be rebuked by readers realtime.
I was talking to a definite non-cypherpunk friend of mine today, and he and I came up with something that might help some Mac users with pgp... The way we were thinking about it is that in your pgp directory, er, folder, you would have several Icons in adition to pgp it'sself. One would be a picture of a lock, with the name "encrypt" and to encrypt a file you simply "pick up" the file and "drag" it over to "drop" it on the encrypt icon. Poof, encrypted file is produced (sure it would ask for passwords and stuff, and it would ask first who to encrypt it to, with the users own pubkey the default. Another Icon would be a picture of a key with the word decrypt, any cyphertext file droped on it would be decrypted. Another one would be a picture of a fountain pen with the name 'sign', yet another would be a magnifying glass over a piece of paper to 'examine sig' or whatever (yes you nit-pickers, I know that functionaly the decrypt and the sig check are like identicle, but the users have a hard time understanding that sometimes.) The point is that someone with some knowledge of macintosh programing hopefully can create what in unix would be a link to the pgp program, whereby it would just call pgp with certain options enabled depending on what name you called it under... Happy Hunting, -Chris ______________________________________________________________________________ Christian Douglas Odhner | "The NSA can have my secret key when they pry cdodhner @ indirect.com | it from my cold, dead, hands... But they shall pgp 2.3 public key by finger | NEVER have the password it's encrypted with!" cypherpunks WOw dCD Traskcom Team Stupid Key fingerprint = 58 62 A2 84 FD 4F 56 38 82 69 6F 08 E4 F1 79 11 - ------------------------------------------------------------------------------ A government mandante for key-escrow encryption in all communication devices would be the information-age equivalent of the government requiring private citizens to quarter troups in their home. --David Murray PGP NSA ViaCrypt Phrack EFF #hack LOD/H 950 FBI MindVox ESN KC NUA murder QSD Hacker DEFCON SprintNet MCI AT&T HoHoCon DNIC TRW CBI 5ESS KGB CIA RSA Communist terrorist assassin encrypt 2600 NORAD missile explosive hack phreak pirate drug bomb cocain payment smuggle A.P. bullets semi-auto stinger revolution H.E.A.T. warheads porno kiddiesex export import customs deviant bribe corrupt White House senator congressman president Clinton Gore bootleg assasinate target ransom secret bluprints prototype microfilm agents mole mafia hashish everclear vodka TnaOtmSc Sony marijuana pot acid DMT Nixon yeltsin bosnia zimmerman crack knight-lightning craig neidorf lex luthor kennedy pentagon C2 cheyenne cbx telnet tymenet marcus hess benson & hedges kuwait saddam leader death-threat overlords police hitler furer karl marx mark tabas agrajag king blotto blue archer eba the dragyn unknown soldier catch-22 phoenix project biotech genetic virus clone ELINT intercept diplomat explosives el salvador m-16 columbia cartel -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLdXaS+Kc9MdneB1xAQHRbQP+NDe9gRMdNPDW/Hp/QV8TzV+m++LwKwrI r9OVM8ayhxYsTCH4ML4dQRPI4IwArbGkPHOul5aF8CFlthMvzcmLIwmv9zPZMAmC 7enswtYVTx55Oooy5sEfc23dX360ZkajqaelxyvHAodz5WD3Cx4tKLRU8GQS00PX l/+v4e5CFeo= =XS9D -----END PGP SIGNATURE-----
participants (2)
-
Black Unicorn -
cdodhner@indirect.com