[messaging] Thoughts on keyservers

Nadim Kobeissi nadim at nadim.computer
Mon Aug 18 18:18:04 PDT 2014

On Mon, Aug 18, 2014 at 7:21 PM, elijah <elijah at riseup.net> wrote:

> On 08/18/2014 07:32 AM, Nadim Kobeissi wrote:
> > I've read the overview for Nyms and I'm scratching my head as to why it
> > would be a good idea to bring what is effectively a CA-like system to
> > email. Effectively what Nyms seems to be proposing is establishing
> > key-signing authorities but for email, similar to how HTTPS/SSL works
> > right now with certificate authorities.
> Nyms is radically different than CA infrastructure in several important
> ways:
> (1) the model is trust but verify, which is very very different than
> trust all authorities equally for everything.
> (2) although called "trusted notaries" they are not really trusted. They
> are just key endorsers. Unlike x.509, a key could be endorsed by
> multiple notaries and the notaries are continually audited.
> (3) the website authentication problem is very different than the email
> recipient authentication problem (see previous email).
> Mostly just rephrasing what Bruce wrote.

Sure, I get that. There's no need to rehash the original explanation.

There's a lot of vague promises that are bundled with this model. For
example that "the notaries are continually audited." Is this really the
practical scenario?

There's undeniably an issue of centralizing authority here, and there is
something fundamentally problematic with the assertion of centralizing key
authentication in the hands of select authorities. Even with a m-of-n trust
but verify approach, centralizing the network and then allowing it to be
gamed while saying "oh, we'll just pick trustworthy people and make sure
they get audited regularly" simply sounds like an idea that belongs better
back when S/MIME was making rounds, and not today where we've had so many
lessons to learn from the failures of centralized authorities.

Sticking to PGP is confusing. We have many protocols and projects out there
(Axolotl, or miniLock) that are focusing on primitives that are newer,
leaner and that offer new venues for key management. Matthew Green recently
wrote an excellent piece on this [1]. I also saw this pretty comic
comparison of PGP's primitives to Cure25519 today [2].

The fact that folks are resorting to such lengths to try and save PGP is
just clear indication that it's time to move on.

[2] https://twitter.com/dchest/status/501486980338024449

> It is an open question how to deal with a notary that is known to be
> bad, and who decides. In many cases, the endorser will also be the mail
> provider, and users can punish a bad mail provider by leaving.
> -elijah
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140818/6bec05e5/attachment.html>

More information about the Messaging mailing list