S/MIME and web of trust (was Re: NAI pulls out the DMCA stick)

Eric Murray ericm at lne.com
Fri May 24 16:40:36 PDT 2002

On Fri, May 24, 2002 at 11:17:08AM -0700, jamesd at echeque.com wrote:
>     --
> On 23 May 2002 at 0:24, Lucky Green wrote:
> > Tell me about it. PGP, GPG, and all its variants need to die
> > before S/MIME will be able to break into the Open Source
> > community, thus removing the last, but persistent, block to an
> > instant increase in number of potential users of secure email by
> > several orders of magnitude.
> My impression is that S/MIME sucks big ones, because it commits
> one to a certificate system based on verisign or equivalent.

It uses X.509, which is supposed to be a hierarchical certificate system. 
Verisign is just the dominant X.509 CA.

But as others have pointed out, its possible to become one's own X.509
CA and issue oneself certs.  Netscape and IE browsers will accept certs
from completely made up CAs.  You might have to click on a few "do you
really want to do this" dialog boxes but that's it.  All you need is a
copy of Openssl and directions off a web site..

Additionally, there is nothing that prevents one from issuing certs
that can be used to sign other certs.  Sure, there are key usage bits
etc but its possible to ignore them.  It should be possible to create
a PGP style web of trust using X.509 certs, given an appropriate set of
cert extensions.  If Peter can put a .gif of his cat in an X.509 cert
there's no reason someone couldn't represent a web of trust in it.

Each user would self-sign their cert.  Or self-sign a CA cert and
use that to sign a cert, same thing.  Trust would be indicated
by (signed) cert extensions that indicate "I trust Joe Blow X amount as
a signer of keys".  Each time you added a trust extension you would
generate a new cert using the same key.  Each trust extension would
indicate the entity, their key id (hash of public key), and the degree of
trust.  When you added a trust extension you'd give a copy of the enw
cert to the entity you just added.  They can then append these
certs onto their cert when they authenticate to someone.

When authenticating, you verify the other guys cert, something he signed
with his private key, then all the other people's certs that he sends
in addition to his own, all of which attest to his trustworthiness.
Ideally, you also trust some of the same people, so you now have their
signed "statements" attesting to a degree of trust in the new guy.
[note, there's probably a conceptal flaw in this since  I'm loopy from
allergy drugs today and probably not thinking as clearly as I think I
am, so be polite when you point out my error.  In any case, the point
is that its possible to do a web of trust in x.509, not that I have a
fully formed scheme for implementing it]

Since all this is in X.509, S/MIME MTAs accept it (unless they are
programmed to not accept self-signed CAs, in which case your MTA is a
slave to Verisign et. al).  You'd need an external program to verify the
web of trust, but that's about it.  And to be honest, exactly zero of the
PGP exchanges I have had have actually used the web of trust to really
verify a PGP key.  I've only done it in testing.  In the real world,
I either verify out of band (i.e. over the phone) or don't bother if
the other party is too clueless to understand what I want to do and getting
them to do PGP at all has already exausted my paticnce.

But why bother?

Even if I could do this X.509 web of trust tomorrow, no one besides a
few crypto-geeks would use it.  People just don't give a shit about other
people reading their email.  Most people can't even be bothered to use
a decent password or shred their credit-card statements.  Only criminals
have anything to hide, right?


More information about the cypherpunks-legacy mailing list