[messaging] Thoughts on keyservers
Tao Effect
contact at taoeffect.com
Mon Aug 18 10:13:59 PDT 2014
Hi Trevor,
We met at SOUPS 2014 and I asked you for your thoughts on DNSChain / Namecoin / Blockchains / etc.
Your response then was that you didn't know because you hadn't looked into it.
Therefore, I found this email of yours quite puzzling, as it contains no mention of what seems to be the answer you're looking for: the blockchain.
I believe it is a near-perfect solution to the problems you are outlining, and therefore invite you to read the README:
https://github.com/okTurtles/dnschain/blob/master/README.md
If you have any concerns about it, I'll do my best to address them.
Sincerely,
Greg Slepak
okTurtles Foundation
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
On Aug 18, 2014, at 2:09 AM, Trevor Perrin <trevp at trevp.net> wrote:
> Suppose you want to lookup someone's public key based on their
> username (e.g. lookup a PGP key based on email address).
>
> Once you have this key you can do TOFU, fingerprint checks, etc., but
> you'd ALSO like to have some trustworthy entity tell you the key. But
> how?
>
> * Search the "web of trust" of people you know, and people they know,
> and so on, hoping there's a path to someone who can vouch for the
> subject's key. But this involves a public social graph of users,
> expensive graph searching, and poorly-understood human interface
> issues around graphs of trust.
>
> * Query a "central authority" where everyone registers their public
> key. To mitigate availability and monopoly risk there could be
> several such authorities, and users just have to register with one.
> But multiple authorities increases the risk of "misissuance", and
> mitigating that risk is difficult. (One approach is for authorities
> to also provide a proof that the key was published (Certificate
> Transparency), so misissuance can be detected and responded to.
> That's promising, but complicated and unproven.)
>
> The "trust agility" in the web of trust seems like a good idea for any
> system without the performance constraints of HTTPS. But using
> regular people as trust intermediaries seems unlikely to scale outside
> small groups. So we could combine these: Bob could register his
> public key with several keyservers, and Alice could query several
> keyservers she trusts. Hopefully there's overlap and Alice finds
> Bob's key.
>
> But there's still a coordination problem - what if Bob registers his
> key someplace, and Alice checks somewhere else? It's unclear how this
> would play out at scale - fragment into islands? centralize around one
> authority? Maybe Bob registers his public key with a central,
> widely-known keyserver and also local keyservers based on his
> affiliations, but that's a lot of registering, and a lot of keyservers
> that's it's unclear why anyone would run.
>
> ---
>
> A different approach is to have Bob's service provider, as specified
> in his username, be his keyserver (LEAP, STEED, UEE). For example,
> the keyserver for bob at example.com would be example.com. This
> eliminates the coordination problem, makes registration easier (Bob
> authenticates to his provider), *might* address the incentive problem
> (Bob's service provider would run the keyserver as part of providing
> him service), and gives Bob flexibility to choose the keyserver (by
> choosing his provider).
>
> Of course, now Alice needs to authenticate example.com. A DNS
> solution (DNSSEC or DNSCurve) seems elegant - if bob at example.com is
> vouched for by example.com, then example.com could be vouched for by
> com, who's vouched for by the DNS root. But since example.com is a
> public server with administrators, it has plenty of other options
> (HTTPS certs, CT logs, pinning via HPKP/TACK or curated pin lists,
> etc.). So we can handwave "Alice authenticates example.com" as being
> solvable a bunch of ways.
>
> A sharper criticism is that changing providers and usernames is
> costly, so Bob's flexibility is limited. Moreover, Bob's provider is
> on the communication path, thus is one of the most important threats
> for end-to-end crypto to protect against.
>
> So provider-based keyservers are convenient (easy for Bob to register
> with and Alice to find), but it's unclear how much they should be
> trusted. Maybe they aren't trustworthy but are useful anyways, to
> find keys we acquire trust in via TOFU and fingerprint checks.
>
> Or maybe keyservers could be made more trustworthy via auditing. If
> keyservers support lookup over Tor then it's hard for them to deliver
> targeted wrong answers. Keyservers could also support "transparency"
> similar to CT, e.g. periodically snapshot their directory so that
> 3rd-party monitors can fetch the delta of new/deleted entries. These
> monitors could notify Bob if his key changes, and send Alice a root
> hash that she uses to check that keyserver responses have been
> published [1].
>
> So far we've assumed Bob has a single username. But Alice might know
> Bob via multiple usernames (email, skype, facebook, twitter, etc). If
> all these hosted keyservers, Alice could lookup Bob's public key from
> multiple providers. Even if they don't host keyservers, social media
> sites make it easy for Bob to publish information, so could be
> leveraged as "keyservers" with some cleverness (see Keybase [2]).
>
> ---
>
> In conclusion, there's a lot of ways to distribute keys. We probably
> want more and better keyservers. It's hard to say who should run
> these. Maybe existing service providers will help, or can be
> leveraged regardless - that's worth discussing more.
>
> There are also protocol design questions that could be tackled
> independent of who runs things, e.g.
> * How to make keyservers auditable
> * Design of protocols and data formats so that public keys, certs,
> fingerprints, revocation data, prekeys, and so on can be published
> through a variety of channels
>
> Probably more but this is way too long already...
>
> Anyways, thoughts?
>
>
> Trevor
>
> [1]
> https://moderncrypto.org/mail-archive/messaging/2014/000226.html
> https://moderncrypto.org/mail-archive/messaging/2014/000244.html
>
> [2] https://keybase.io/
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140818/1bcf070b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140818/1bcf070b/attachment.sig>
More information about the Messaging
mailing list