[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [ga] Proof of Identification
For whatever it is worth, as someone who has been using PGP for
many years and worrying about key integrity and validity and
webs of trust for most of that time...
(i) Mark's concerns about people signing things on the basis of
faxed identity materials that can easily be tampered with are
legitimate. One can debate about how often faked documents
would actually appear in particular communities, but I would
never sign a key on the basis of such a faxed document alone.
(ii) The key to an operational "web of trust" is that word
"trust". Using PGP in some of the arrangements that have been
proposed would make me _lots_ happier than using email
addresses, but, for digital signatures/ key certifications to be
meaningful, one has to not only be able to authenticate the
signer's key, but trust the signer to behave appropriately.
(iii) Trust is a somewhat elusive concept. If the use of PGP
signatures is going to be used to validate identity and
uniqueness, then agreed-upon conventions are needed as to what
gets signed and on what proofs. If the person doing the
checking trusts the signer to have understood those conventions
and followed them (and, incidentally, to be competent about key
management), then the endorsement is useful. If not, it is
meaningless (such an endorsement should not be held against the
key-holder; to do so would enable all sorts of nasty attacks).
(iv) Similarly, trust is not easily additive. One of the
debates/difficulties in the PGP community for many years is how
many "partially"-trusted signatures add up to one fully-trusted
one. Some think the answer is two or three; others claim that
no number will suffice. And some of us will make case-by-case
decisions depending on the importance of what is happening. It
is no accident that the programs have options to reflect all of
those positions.
The DNSO situation aside, different of us have different
criteria for signing keys. If you see a key signed in one of
my two main keys (one RSA, one DH/DSS), it implies that I've met
the individual face to face, seen identification that I find
satisfying, and gotten at least verbal confirmation of the key
fingerprint from the keyholder. My criteria are not foolproof
or attack-proof: I rarely take the extra step of sending someone
an message encrypted in the public key they want me to sign and
insist that they decrypt the message and send me back the secret
contained therein before I will sign the key. Perhaps I should
do so more often, but there are limits. Similarly, it would
probably be possible to trick me by handing me a fake passport:
I don't claim any knowledge of what most of the passports in the
world look like or how to determine their validity. But a
non-existent person would have to go to fairly extreme lengths
to get me to sign a key (and I do keep an extra signing key,
identified as lower confidence, around for when I need to
endorse something but my normal criteria are not met).
So, the "a group of bogus people get someone to sign all of
their keys and the system breaks" should not be a plausible
attack: if there are clear signing criteria, and they are
reasonable, then someone who starts signing keys for non-people
or on dubious authenticate goes on the "less trusted as signer"
list and just doesn't count: people with keys signed by that
individual would need to seek additional signatures elsewhere
(not to increase the count, but to find a signature from a
trusted signer).
And, again, "not trusted" is a term of art here: I've worked
with people whose identity I can vouch for, whose integrity I
trust completely, but who are, by experience and demonstration,
lousy key managers (typically because they don't understand the
theory well enough to implement it faithfully). So I don't
trust their signatures on other people's keys, not because I
don't trust the people, but because I know of too many
opportunities to compromise their keys. Life is hard sometimes.
For completeness, the interesting attack by a collection of
non-people wouldn't be to subvert one signer and get him or her
to sign all of their keys. It would be to print up a
collection of fake identification papers, one for each identity,
but all bearing the same picture. The associated "face" and
one of the sets of credentials would then be submitted to
different potential trusted signers, so that each one would
match a key, a name, identity papers, and a face and sign the
relevant key. One would then have one real person (at most),
associated with a number of (most faked) identities and keys
with no easy detection mechanism. The latest versions of PGP
permit including a signed, digitized, photograph with a public
key, and that might help detect this particular fraud, but the
formats involved are not backward-compatible and few of us are
using them.
john
PGP Fingerprints:
DH/DSS (id 0xB11F733D): DF70 5F40 B8C9 AE70 0B30 73C7 3E58
E556 B11F 733D
RSA (id 0x8F1B19A5): 6C84 7FC2 2F5A 2306 86BC DDE6 A573 E726
Keys available from the usual servers.