[messaging] Keyservers discussion - Day 1 highlights

Trevor Perrin trevp at trevp.net
Tue Aug 19 01:18:50 PDT 2014

Bruce Leidl from Subgraph presented Nyms [1].  This is a system with a
central key-signing / key-directory infrastructure and a strong focus
on reducing the trust needed in that infrastructure:

 - Instead of a single authority a quorum of M (of N) parties have to
agree on a user's public key.

 - Once Alice has retrieved Bob's public key, she performs anonymized
lookups at random intervals for auditing.  Instead of Tor the
anonymized lookups use the directory servers as a mix net.  (Which is
interesting, is that for high-latency anonymity or something else?)

There's other sensible details, e.g.

 - Users are registered via an email exchange.

 - Keys are removed from directory servers if users don't confirm periodically.

Q:  I think the idea is to have a single M-of-N infrastructure sign
keys for everyone, but the website also mentions "participating
providers" who can sign keys for their users.  It's unclear how these
provider-based authorities fit in?


Tom Ritter made some great points [2], among them:

 * An email provider is in some sense "authoritative" for emails from
its domain.  In particular, it could forge registration emails from
its users, so any system based on these will end up trusting the
provider.  Yet I'd ALSO claim the provider is one of the most
important entities for end-to-end crypto to protect us from.

 * My initial email conflated a "keyserver" with both "the authority
signing a key" and "the directory serving the signed key".  Tom points
out most projects separate these.


Elijah criticized the idea of applying CT to the "user key problem"
[3].  I think the crux of his argument is that we want anonymized key
lookup for relationship-hiding anyways, so we can use that for
auditing (like Nyms).  CT doesn't "add enough benefit to justify the

That's an interesting claim - it seems like both approaches need to be
worked out more before we could really assess that.


Some PGP vs S/MIME vs other discussion.  That should probably be
another thread, another time (divisive, not that interesting).


Greg and Trevor on Blockchains / NameCoin - Not a highlight yet, but
I've promised to have an opinion and create a discussion about this,
it's a worthy topic.


[1] https://moderncrypto.org/mail-archive/messaging/2014/000602.html
[2] https://moderncrypto.org/mail-archive/messaging/2014/000613.html
[3] https://moderncrypto.org/mail-archive/messaging/2014/000616.html

More information about the Messaging mailing list