[messaging] TOFU to ease PGP key discovery

Joseph Bonneau jbonneau at gmail.com
Mon Feb 9 09:44:08 PST 2015

On Mon, Feb 9, 2015 at 9:20 AM, Trevor Perrin <trevp at trevp.net> wrote:
> I don't think Whiteout's proposal is the same as CA offerings.
> Whiteout is proposing a key directory where you can lookup public
> keys.
> I think a few CAs issue S/MIME certs (for pay, though there seem to be
> free offerings for personal use); but CAs don't run lookup services
> that I'm aware of.

I agree, but this is a spectrum. In the middle you could have short-lived
CA certs with an untrusted lookup service (which could be Whiteout). This
is really about caching and revocation efficiency and not the trust model.

> > Opportunistic crypto is fine, but it feels like this second approach is
> not
> > any better than just telling people to use Gmail. Both ends have TLS on
> the
> > wire and it's only susceptible to a targeted attack, so the security
> level
> > is the same.
> I don't see that - if you do end-to-end OE, users can check
> fingerprints to ensure there's no MITM.  This isn't possible with
> Gmail

Intercepting Gmail is not easy in that most entities can't do it, but it's
also not necessarily targeted. If you're able to compromise or legally
coerce Google, you can get everything at once basically for free, since
Google already sees everything in cleartext and just needs to add a tap.
>From an engineering standpoint it may be much harder to MITM millions of DH
exchanges every day. One way to look at is that Google has already built a
massive, reliable infrastructure to MITM all of its clients in real-time
(as the connection isn't end-to-end), whereas for a simpler server you
would have to build this all on your own.

But the general point is, once you have opportunistic encryption you can
incrementally add features to improve security. Comparing fingerprints out
of band is one possibility. Once could also try a Perspectives approach,
querying the Whiteout server from various network positions to see what
keys are returned for your username. Or you could try to add a global log
like with CONIKS to increase confidence that there is no equivocation going
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150209/270935d2/attachment.html>

More information about the Messaging mailing list