True Names and Webs of Trust
Just a comment on this business of whether we need certification of the True Names of people we deal with: I've dealt with "in person" maybe 60 to 100 of the people on this list (at one time or another). In no cases--not a single one--have I made elaborate checks to confirm that people are who they claim to be. A few driver's licenses have been flashed at meetings, but I didn't look closely. Maybe a passport was even displayed, but, again, I didn't look. And documents are readily forged. This has relevance to the thread Michael Froomkin raised, as well. To wit, none of the people I've met has been "certified." And yet it doesn't bother me. As Bill Stewart correctly claimed is my view, the "key is the identity." Or, more accurately, a _persistent personna_ is what matters. Thus, I don't need to "verify" that "Eric Hughes" is "really" Eric Hughes, and is not actually Fritz Doppelganger, assigned to Berkeley by the BND. I really don't care about the so-called "reality." (Sorry for all of the "quotes," but all of these terms are heavily laden with connotations which bear deconstructing.) My experiences are the norm, I think. Identity credentials are rarely checked, and most people don't care too much. (An important point is that in a cash economy, identity is almost irrelevant. It's only in non-cash, or "account-based," economy that True Names are demanded. Lots of interesting issues to discuss here, which I won't now.) The "web of trust" model is really the normal way people go about their business. I knew someone once introduced to me as "Hugh Daniel," and he eventually introduced me to someone calling himself "Eric Hughes," and so on. Introducers, webs of trust, etc. What their "real names" are makes little difference. (Besides, their Real Names were written on flat stones on the 3rd day after their births and placed in a safe place known only to the Great Bird.) I never use the web of trust model in PGP. I get so few PGP messages that it's enough that people I know give me their keys. So I concede that the web of trust model in the PGP world may or may not scale well. (In the sense of tens of thousands of folks establishing a "web of trust.") But the _basic_ idea of self-arranged transfers of keys and local networks of friends is right on. This is why I don't worry too much about the need for government-authenticated keys and True Names. --Tim May ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway."
-----BEGIN PGP SIGNED MESSAGE----- tcmay> As Bill Stewart correctly claimed is my view, the "key is the tcmay> identity." Or, more accurately, a _persistent personna_ is tcmay> what matters. These discussions are missing the entire point of the Web of Trust. Key signatures exist for one reason and one reason only: To thwart man-in-the-middle attacks. Whether your "persistent persona" is a True Name (tm) or a pseudonym is irrelevant. Suppose a sysadmin on your site installed a filter on your mail and news that translated everything between your real public key and one of her choosing. Such a transformation could be done automatically quite easily. How long before you would notice? Depending on how careful you are, it could take quite a while. Key signatures avoid this attack. What a key signature *means* is that the signer is personally vouching that no such attack has taken place. Each signer has his own level of paranoia, and you need some knowledge of that paranoia level to evaluate the worth of a signature. Requiring a True Name backed by state-appoved photo ID is a pretty high level of paranoia. (It would take a lot of effort to monitor this exchange, edit it to arrange a meeting between us, show up with photo ID for "Tim May", and continue editing every time one of us mentioned our personal meeting...) Pseudonyms *do* pose a problem here. The problem is not whether someone tries to use a name that "really" belongs to someone else. Who cares? The problem is making sure that your conversation with the entity at the other end of the wire is secure. This is what the Web of Trust provides. If I take the time to have a long conversation with a pseudonym (so that I "get to know him"), then I arrange a personal or telephone meeting, and the person I talk to is totally consistent with the person I know electronically, then I can feel safe signing his key. ("The entity calling itself 'Patrick J. LoPresti' asserts that the entity it knows as 'John Doe' uses this public key.") Of course, I need to know him pretty well before I can do this, lest the man-in-the-middle deceive us. The beauty of the Web of Trust is that once I have done this, everyone else who trusts me can use the pseudo's key with confidence and without going through the same trouble. Zimmermann clearly understood all of this, but I don't think he documented it properly. In my opinion, everyone should always think in terms of man-in-the-middle attacks when signing a public key. Mandating "True Names" is just an overconservative approach suitable for people who don't fully understand the issue. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface iQCVAwUBMDntwHr7ES8bepftAQFyyAQAnFtDh4UxHOtFoykCFVyK4s0CXqXhku+k T8n/881R0F1lL+qKMlkxCd0qRmYXueeYGCO6oXAMWgVjVBQ4PluAdw7Ad4b9GxDA FzkuN5oasKbyKyyCRguRq7DszKWW0nyjGbsToq0udtX0fsY33ZtU3btbsjawBFgI Kk7TEeHBT+8= =pndj -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Zimmermann clearly understood all of this, but I don't think he documented it properly. In my opinion, everyone should always think in terms of man-in-the-middle attacks when signing a public key. Mandating "True Names" is just an overconservative approach suitable for people who don't fully understand the issue.
wilcoxb> My point exactly. My post "Stop Fixating on True Names" was wilcoxb> an attempt to clarify things to said people. Then you didn't clarify very well; to wit: wilcoxb> Okay now does anyone want to do any of the above two things wilcoxb> to me? If not then *don't* *worry* about whether my public wilcoxb> key is signed by anyone or not. It makes zero difference to wilcoxb> you until such a time as one of the above motivations wilcoxb> acquires. wilcoxb> Zimmermann et al. were/are naive to emphasize the Web of wilcoxb> Trust as a means of introducing strangers. The first paragraph clarifies nothing because it is dead wrong; the second because it is arrogant, offensive, and dead wrong. wilcoxb> From this perspective, the Web of Trust is the soul of wilcoxb> public-key cryptography. From the other perspective ("Never wilcoxb> ever sign a key which you got off of a bulletin board!" wilcoxb> warns "pgpdoc1.txt") it is a cute anachronism. The Web of Trust is a means of thwarting active attacks; nothing more, nothing less. "Perspective" has nothing to do with it. Given that active attacks are hard to explain and understand fully, the PGP docs are correct to advocate a conservative approach to signing keys. Novices *should* be taught to take the Web of Trust seriously. (Yes, I am retracting my own statements quoted above; the more I think about it, the more I think it is very hard to teach a novice the details of active attacks.) Moreover, I suspect that active attacks are more likely today than when those docs were written, which makes their advice precisely the opposite of an "anachronism". -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface iQCVAwUBMDpleHr7ES8bepftAQE0KgQAoAg5QeXwbtZzKMliNH63f3Ewvxz1g8gR vlTPwZ8YRWANxFFbhN03DMo6HQI78f/8VnbvOB8osZz/aLQgmyuw6Q201vfHbbtu gKpfLBPLu/Cl2JEk6FK58IYyvrTPZ7XKfp80LoRIby/pSU2uL7K2+7vfjGWGvjvY V9s9mJUCGN8= =OBD5 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- patl> Zimmermann clearly understood all of this, but I don't think he patl> documented it properly. In my opinion, everyone should always patl> think in terms of man-in-the-middle attacks when signing a public patl> key. Mandating "True Names" is just an overconservative approach patl> suitable for people who don't fully understand the issue. wilcoxb> My point exactly. My post "Stop Fixating on True Names" was wilcoxb> an attempt to clarify things to said people. patl> Then you didn't clarify very well; to wit: wilcoxb> Okay now does anyone want to do any of the above two things wilcoxb> to me? If not then *don't* *worry* about whether my public wilcoxb> key is signed by anyone or not. It makes zero difference to wilcoxb> you until such a time as one of the above motivations wilcoxb> acquires. You are quite right that this paragraph was unclear. I meant "don't worry about whether my public key is signed where signing means certifying the mapping between my key and my physical identity.", not "don't worry about whether my public key is signed where signing means certifying the mapping between my key and a perceived identity of mine.". It is unfortunate that a PGP key-signature has such ambiguous semantics, but again it is my fault for being unclear above. wilcoxb> Zimmermann et al. were/are naive to emphasize the Web of wilcoxb> Trust as a means of introducing strangers. patl> The first paragraph clarifies nothing because it is dead wrong; the patl> second because it is arrogant, offensive, and dead wrong. Pshaw. I think it's funny when people gasp in horror if you say something disrespectful of Saint Phil. Here, I'll say it again: Zimmermann was naive to emphasize the Web of Trust as only legitimate for public key<->Real-Life-identity mappings. In the future such mappings will be rare, while the Web of Trust will be used extensively for public key<->virtual-identity mappings. (The alert observer will notice that I changed some things between the first and second invocations of the Disrespectful Assertion. This is because when I wrote the first version I was still confused about the ambiguity between "Web of Trust as set of key<->Real-Life-identity mappings" and "Web of Trust as set of key<->identity mappings".) patl> Given that active attacks are hard to explain and understand fully, I'll say! I'm having a very hard time understanding all of this clearly. patl> the PGP docs are correct to advocate a conservative approach to patl> signing keys. Novices *should* be taught to take the Web of Trust patl> seriously. (Yes, I am retracting my own statements quoted above; the patl> more I think about it, the more I think it is very hard to teach a patl> novice the details of active attacks.) Be that as it may, I still think that Zimmermann assumed that key<->real-life-identity mappings would be the primary purpose for the Web of Trust when he wrote "pgpdoc1.txt". And I think he was wrong about that. It is not "arrogant" or "offensive" to say that someone was wrong when you believe that to be the case. patl> Moreover, I suspect that active attacks are more likely today than patl> when those docs were written, which makes their advice precisely the patl> opposite of an "anachronism". Furthermore, Phil's advice to only sign keys which you have physically verified actually makes it easier for an attacker to get In-The-Middle-Of you and me. This is because there is no Web of physically-verified keysigs between you and me. If Phil had recommended treating public keys as being equivalent to net.personas, and verifying them as such, (or better yet, had provided a certificate mechanism to do so in *addition* to the current certificates) then there would be a Web of non-physically-verified keys between you and me, which would be much harder for an attacker to subvert. Since you and I do not share any such Web, we are not any better off than if we were using symmetric-key cryptography, as far as privacy goes! (Authentication is of course another matter.) Ah, the irony. By insisting on maximally-strong links between each node in the Web, you generate a much weaker Web than if you allowed weaker individual links in greater quantity. Thank you for your correspondance, Patrick and others. I look forward to more constructive interaction. Bryce signatures follow: + public key on keyservers /. island Life in a chaos sea or via finger 0x617c6db9 / bryce.wilcox@colorado.edu ---* -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed with Bryce's Auto-PGP v1.0beta iQCVAwUBMDq0kfWZSllhfG25AQERJAQAglcIqszrEeWmrbL1E/SxpdRK+3B8zKC9 g7H6fd6T6D8BnYv6u4wmlU+F8fyFT0V6cVa5BZ6Defmc6phvYD9wKyleuaYjRaOP tVd8tITqpoIkmpK1+skCiV5CUl5eseKQJUlUa2LX4J8Lh9J6t9ZRm6p72ocJ88JL hnOknxRHz/M= =Pes4 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
"Bryce" == Bryce Wilcox <wilcoxb@nagina.cs.colorado.edu> writes: (in a PGP signed message)
[...] Bryce> You are quite right that this paragraph was unclear. [...] Bad signature, doesn't match file content :))) Bryce, why don't you really PGP-sign a mail when you agree you were unclear ? :))) Sam - -- "La cervelle des petits enfants, ca doit avoir comme un petit gout de noisette" Charles Baudelaire -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface iQCVAgUBMDr36IFdzKExeYBpAQH60gP/ZlbC6alikSBjCsWxf/g2mjDVRNvlcu3P Y1ljl7t1mnkfOag0uGaZVAHzDkcLfq5VrwNPVBpZUJmm0hHcUxyyP63rX42EC0n5 ATA3fnmxsmPrMZsAHYjfzI/kPeCX0xO0Fn8XIAv55BzGPzm8w8hp31x4FwEWn7+O Ip9R7jWTQ1o= =skv6 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
"Bryce" == Bryce Wilcox <wilcoxb@nagina.cs.colorado.edu> writes: (in a PGP signed message)
[...] Bryce> You are quite right that this paragraph was unclear. [...]
Bad signature, doesn't match file content :))) Bryce, why don't you really PGP-sign a mail when you agree you were unclear ? :)))
:-) Good one. The truth is that I was testing to see if anyone paid attention to my sigs. Thanks for your response! I promise not to deliberately invalidate any more clearsigs. Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed with Bryce's Auto-PGP v1.0beta iQCVAwUBMDtVZPWZSllhfG25AQGfvQQAiBDxjYwPTukPfX5vjn8ZOMWmuzYznJax 25CDar/W8LgP3vKV8pNMUHfDUj8EN8JwvPnV/1Q++jgWcgZ8Bis0FLt59wznqm8I Ke9hiFAWxn6KHuAiz5nvlsh0xOuTwoJ/rSaQHJZlulvG6ZK1SeK0rfmY/MNMrCrc OLr7j1JVWHc= =yBpE -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Key signatures exist for one reason and one reason only: To thwart man-in-the-middle attacks. Whether your "persistent persona" is a True Name (tm) or a pseudonym is irrelevant.
<snip>
Zimmermann clearly understood all of this, but I don't think he documented it properly. In my opinion, everyone should always think in terms of man-in-the-middle attacks when signing a public key. Mandating "True Names" is just an overconservative approach suitable for people who don't fully understand the issue.
My point exactly. My post "Stop Fixating on True Names" was an attempt to clarify things to said people. Look at it this way: leaving aside the fact that a Man-In-The-Middle has to do a little more fast footwork than a normal old eavesdropper does, public key cryptography does not actually give you *any* advantage over symmetric-key cryptography except for this one fact: You can ask George what Alice's public key is, but you can't ask him what her-and-your shared (symmetric) secret key is! - From this perspective, the Web of Trust is the soul of public-key cryptography. From the other perspective ("Never ever sign a key which you got off of a bulletin board!" warns "pgpdoc1.txt") it is a cute anachronism. By the way, you mentioned "people who don't fully understand the issue"-- a brief survey of e-mail and posts I have seen on this subject indicates to me that even knowledgeable people like the cypherpunks are about evenly split on whether they appreciate this concept or not. [note: I've been cc:'ing messages to c'punks accidentally after I upgraded to mh. My apologies. At least they weren't completely without relevance...] Bryce Announcement: I have had technical difficulties. If you sent me e-mail between Aug 5 and Aug 20 and didn't receive a response, please re-send. signatures follow: + public key on keyservers /. island Life in a chaos sea or via finger 0x617c6db9 / bryce.wilcox@colorado.edu ---* -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed with Bryce's Auto-PGP v1.0beta iQCVAwUBMDpBPfWZSllhfG25AQFvuAP/a6vSu4OgkDAXTRWif46/chb1+Owo2TBx YEWSzp4PRYTL1ZwrC1eOtx37miGUzvsGooXOEPfEpC4oW3f0Jg6BHanXabhegJyb t09m8IlaeD38IKATnzcC7VeeU0sWuWUea1vFJw28oZv0VOgGSeeFcYE4DA/oOtRD oqTFfG+GM7w= =LFIz -----END PGP SIGNATURE-----
participants (5)
-
Bryce Wilcox -
Patrick J. LoPresti -
Patrick J. LoPresti -
Samuel Tardieu -
tcmay@got.net