[messaging] Google End-to-End plans on using key directories with a CT-like verification protocol

[Ximin Luo]

On 28/08/14 19:39, yan wrote:
> On 08/28/2014 09:04 AM, Adam Langley wrote:
>> On Wed, Aug 27, 2014 at 2:32 PM, yan <yan at mit.edu> wrote:
>>> Since the Key Directories are (at least initially) run by the Identity
>>> Providers (Google, Yahoo, etc.), it doesn't seem very useful to gossip
>>> the Signed Tree Head inside channels controlled by the identity provider
>>
>> I assume that the gossip will be within the signed part of the message
>> so that the channel cannot alter it.
>>
> 
> But the identity provider can give Alice a version of the log that
> contains fake keys for Bob that are controlled by the identity provider.
> If I understand correctly, it could then MITM all her messages to/from
> Bob and show gossip in the signed part of the message that is consistent
> with the malicious version of the CT log that contains the fake key for Bob.
> 
> (This assumes Alice/Bob haven't verified keys directly.)
> 

Yes, this is the fundamental thing wrong with systems that only try to bind URIs to keys. The problem is the URI is usually controlled, by logistics, by some other entity. Not the real-world identity you want.

For full security, at some point you need to bind a real-world identity to the key.

One could argue this is "out-of-scope" for the system proposed here, but the issue does need to be stated. We shouldn't pretend a system does something that it doesn't.

Sorry for quoting myself, but I think I gave a good summary here:

https://moderncrypto.org/mail-archive/messaging/2014/000647.html

X

-- 
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140828/025a1531/attachment.sig>