[messaging] Keyservers discussion - Day 1 highlights

Bruce Leidl bruce at subgraph.com
Tue Aug 19 13:00:48 PDT 2014

On Tue, Aug 19, 2014 at 4:18 AM, Trevor Perrin <trevp at trevp.net> wrote:

>  - Once Alice has retrieved Bob's public key, she performs anonymized
> lookups at random intervals for auditing.  Instead of Tor the
> anonymized lookups use the directory servers as a mix net.  (Which is
> interesting, is that for high-latency anonymity or something else?)

It's to avoid a dependency on Tor because anonymizing lookups is
important enough that it shouldn't be an optional feature.

Mix network might not be exactly the right terminology since the
implementation I'm imagining won't mix messages since latency is
undesirable especially for looking up new keys (might be okay for
auditing).  Maybe I should have called it message based onion routing.

> Q:  I think the idea is to have a single M-of-N infrastructure sign
> keys for everyone, but the website also mentions "participating
> providers" who can sign keys for their users.  It's unclear how these
> provider-based authorities fit in?

Providers endorse keys for their own users which are then published in
the Nyms directory system.  Nyms either endorses the provider signing
keys, or itself signs the user keys after verifying provider
signature.   A provider who endorses keys should not also provide the
directory service for looking up keys because it's easier to conceal
dishonest provider behavior from a user attempting to audit their own
keys.  By requiring providers to upload keys to an independent
directory service, there will at least be a record of any attempt to
publish bad keys.

>  * An email provider is in some sense "authoritative" for emails from
> its domain.  In particular, it could forge registration emails from
> its users, so any system based on these will end up trusting the
> provider.  Yet I'd ALSO claim the provider is one of the most
> important entities for end-to-end crypto to protect us from.
> Conundrum.

Yes, this is the most interesting adversary.  I doubt there is any
secure way to bind keys to email addresses in the cast that the email
provider is fully malicious.  Hence, auditing.  Elijah put it well
when he pointed out that only users themselves know for sure what
their correct public keys are.


More information about the Messaging mailing list