[messaging] Affirmations

Vincent Breitmoser valodim at mugenguild.com
Wed Jan 7 05:44:09 PST 2015

> My point is, the web of trust is supposed to be

I consider the Web of Trust as it is now a failed concept for a general
audience, for a couple of reasons (wall of text incoming, I apologize)

* the Web of Trust is essentially a decentralized PKI where every user
  is also a CA, and which requires users to cherry-pick which CAs they
  choose to trust and to what degree. I believe this complexity to be
  way too much to ever hope for widespread adoption.

* those who use pgp tend to have strong opinions about it, especially in
  regard to secret keys and circumstances under which a certificate may
  be issued.

* reasoning about the web of trust requires so much theoretical
  background that the comfort zone most users live in is roughly the
  point where nobody tells them they are using it wrong anymore. this
  becomes very problematic when this point is achieved through dogma
  rather than reason, "thou shalt certify only after personally checking
  the fingerprint letter by letter"

* this leads to intolerance towards mistakes, wrong assumptions or even
  differing opinions about secret key usage and the circumstances
  certifications can be issued. "if you use it that way, you might just
  not use it at all" leads to people not using it at all

* the worst part is - those people with rigid opinions are sort of
  right. Alice's confidentiality properties in communications with Bob
  might depend on a certificate issued by John, who is implicitly
  burdened by this implication for every certificate he issues. A user
  who is not very diligent about his certifications lowers the average
  trustability of certifications, which is considered harmful behavior
  and quite naturally so.

* one problem that has not even really surfaced yet is that for the web
  of trust to work, you are required to publish your social graph,
  including who and when you met, and how much you trust them.

* certifications are made with the master key, which is also the part of
  the keyring which needs to be handled with the most care. convenience
  of certification is a direct tradeoff with keeping the master key in a
  safe place. this unfortunately also makes certification "on the go"
  with a mobile device a no-go for many users.

* the strong set is 55k keys.

I am not saying the WoT doesn't have its place in the world (it works
for debian). in the end, if anyone who is not involved with security or
at least computers by trade asks me how they can encrypt their email
right now - I have no good answer.

So, why do I think affirmations are a worthwhile approach?:

* perhaps most importantly, I believe the mechanism is understandable.
  For a user who is familiar with twitter, the rough idea "the owner of
  this keyring controls that twitter account, here's the tweet which
  proves it" is at least somewhat understandable, the only non-trival
  puzzle piece being "there's this number which makes sure this is
  actually correct".

* the decision of whether a key is genuine or not can be made ad hoc.
  you don't need to sign every person you ever meet because half a
  decade from now you might want to send them an email. if you want to
  write a mail to somebody, you can search for a key and the software
  provides you with possible reasons (though not proof! hence,
  "affirmations") for why this key looks like a genuine candidate.

* the owner of a keyring is directly responsible for the trustability of
  their keyring, almost fire-and-forget right after creation and not in
  a persistent effort by having other people certify it.

* it drops the dependency on real life identities. I want to write a
  mail to some developer I only know from github, I can write it to the
  person who controls the/a keyring which associates itself to this
  account. if I don't actually know this person, his real name or even
  id will have little actual meaning to me, from my perspective the
  person I want to talk to is the owner of that github account - whoever
  that is.

* seamless compatibility. if your pgp software doesn't support
  affirmation packets, no bother. if it does, you can use the
  information they provide as a basis for trust decisions, but of course
  you can also still certify people the old fashioned way.

Now obviously, an affirmation can never be as trustworthy as personal
verification. I would argue though that it is better than TOFU in this
regard, and kinda close to what CAs can offer, striking a good balance
somewhere inbetween.

> I love your enthusiasm, but can you explain how it's functionally
> different from regular PKI certificates? If Twitter cared, they
> could easily issue certificates that attested to a Twitter
> handle.

They could, but they don't. What's more, would a certificate handed out
by twitter which attests that some account belongs to you really have
more meaning than a tweet saying the same thing?

> If you simply say people are going to be identified by
> email/github/twitter handle BUT storage of those facts is going to
> be decentralised, then what you've got there is almost exactly the
> regular PKI in which no central key directories are used but a
> handful of pre-agreed authorities verify public keys.

This is true, except the authorities only have to be "pre-agreed" in the
sense that they need to be supported by the pgp client software.

 - Vincent

More information about the Messaging mailing list