[messaging] Thoughts on keyservers

Tao Effect contact at taoeffect.com
Mon Aug 18 10:13:59 PDT 2014

Hi Trevor,

We met at SOUPS 2014 and I asked you for your thoughts on DNSChain / Namecoin / Blockchains / etc.

Your response then was that you didn't know because you hadn't looked into it.

Therefore, I found this email of yours quite puzzling, as it contains no mention of what seems to be the answer you're looking for: the blockchain.

I believe it is a near-perfect solution to the problems you are outlining, and therefore invite you to read the README:


If you have any concerns about it, I'll do my best to address them.


Greg Slepak
okTurtles Foundation

Please do not email me anything that you are not comfortable also sharing with the NSA.

On Aug 18, 2014, at 2:09 AM, Trevor Perrin <trevp at trevp.net> wrote:

> Suppose you want to lookup someone's public key based on their
> username (e.g. lookup a PGP key based on email address).
> Once you have this key you can do TOFU, fingerprint checks, etc., but
> you'd ALSO like to have some trustworthy entity tell you the key.  But
> how?
> * Search the "web of trust" of people you know, and people they know,
> and so on, hoping there's a path to someone who can vouch for the
> subject's key.  But this involves a public social graph of users,
> expensive graph searching, and poorly-understood human interface
> issues around graphs of trust.
> * Query a "central authority" where everyone registers their public
> key.  To mitigate availability and monopoly risk there could be
> several such authorities, and users just have to register with one.
> But multiple authorities increases the risk of "misissuance", and
> mitigating that risk is difficult.  (One approach is for authorities
> to also provide a proof that the key was published (Certificate
> Transparency), so misissuance can be detected and responded to.
> That's promising, but complicated and unproven.)
> The "trust agility" in the web of trust seems like a good idea for any
> system without the performance constraints of HTTPS.  But using
> regular people as trust intermediaries seems unlikely to scale outside
> small groups.  So we could combine these:  Bob could register his
> public key with several keyservers, and Alice could query several
> keyservers she trusts.  Hopefully there's overlap and Alice finds
> Bob's key.
> But there's still a coordination problem - what if Bob registers his
> key someplace, and Alice checks somewhere else?  It's unclear how this
> would play out at scale - fragment into islands? centralize around one
> authority?  Maybe Bob registers his public key with a central,
> widely-known keyserver and also local keyservers based on his
> affiliations, but that's a lot of registering, and a lot of keyservers
> that's it's unclear why anyone would run.
> ---
> A different approach is to have Bob's service provider, as specified
> in his username, be his keyserver (LEAP, STEED, UEE).  For example,
> the keyserver for bob at example.com would be example.com.  This
> eliminates the coordination problem, makes registration easier (Bob
> authenticates to his provider), *might* address the incentive problem
> (Bob's service provider would run the keyserver as part of providing
> him service), and gives Bob flexibility to choose the keyserver (by
> choosing his provider).
> Of course, now Alice needs to authenticate example.com.  A DNS
> solution (DNSSEC or DNSCurve) seems elegant - if bob at example.com is
> vouched for by example.com, then example.com could be vouched for by
> com, who's vouched for by the DNS root.  But since example.com is a
> public server with administrators, it has plenty of other options
> (HTTPS certs, CT logs, pinning via HPKP/TACK or curated pin lists,
> etc.).  So we can handwave "Alice authenticates example.com" as being
> solvable a bunch of ways.
> A sharper criticism is that changing providers and usernames is
> costly, so Bob's flexibility is limited.  Moreover, Bob's provider is
> on the communication path, thus is one of the most important threats
> for end-to-end crypto to protect against.
> So provider-based keyservers are convenient (easy for Bob to register
> with and Alice to find), but it's unclear how much they should be
> trusted.  Maybe they aren't trustworthy but are useful anyways, to
> find keys we acquire trust in via TOFU and fingerprint checks.
> Or maybe keyservers could be made more trustworthy via auditing.  If
> keyservers support lookup over Tor then it's hard for them to deliver
> targeted wrong answers.  Keyservers could also support "transparency"
> similar to CT, e.g. periodically snapshot their directory so that
> 3rd-party monitors can fetch the delta of new/deleted entries.  These
> monitors could notify Bob if his key changes, and send Alice a root
> hash that she uses to check that keyserver responses have been
> published [1].
> So far we've assumed Bob has a single username.  But Alice might know
> Bob via multiple usernames (email, skype, facebook, twitter, etc).  If
> all these hosted keyservers, Alice could lookup Bob's public key from
> multiple providers.  Even if they don't host keyservers, social media
> sites make it easy for Bob to publish information, so could be
> leveraged as "keyservers" with some cleverness (see Keybase [2]).
> ---
> In conclusion, there's a lot of ways to distribute keys.  We probably
> want more and better keyservers.  It's hard to say who should run
> these.  Maybe existing service providers will help, or can be
> leveraged regardless - that's worth discussing more.
> There are also protocol design questions that could be tackled
> independent of who runs things, e.g.
> * How to make keyservers auditable
> * Design of protocols and data formats so that public keys, certs,
> fingerprints, revocation data, prekeys, and so on can be published
> through a variety of channels
> Probably more but this is way too long already...
> Anyways, thoughts?
> Trevor
> [1]
> https://moderncrypto.org/mail-archive/messaging/2014/000226.html
> https://moderncrypto.org/mail-archive/messaging/2014/000244.html
> [2] https://keybase.io/
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140818/1bcf070b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140818/1bcf070b/attachment.sig>

More information about the Messaging mailing list