[messaging] TOFU to ease PGP key discovery

Trevor Perrin trevp at trevp.net
Mon Feb 9 11:40:30 PST 2015

On Mon, Feb 9, 2015 at 9:57 AM, Mike Hearn <mike at plan99.net> wrote:
>> I don't think Whiteout's proposal is the same as CA offerings.
>> Whiteout is proposing a key directory where you can lookup public
>> keys.
> My understanding is that keys fetched from their own key server, have had
> their email address verified, thus Whiteout acts as a CA.

An S/MIME CA verifies your email address (and perhaps other
information) and issues a certificate, with the goal that this cert
suffices for trust establishment.

The Whiteout proposal verifies your email address and makes your
public key available in an online directory, with the goal of enabling
opportunistic encryption.

This seems like different goals and different mechanisms.

> Key lookup directories have a couple of
> problems
> Lookups leak who you're talking to
> Initial emails being encrypted interferes with spam filters
> The S/MIME default is, Alice sends a cleartext but signed mail to Bob. Bob
> replies with a signed and encrypted message. Now the key exchange is
> complete. The first mail from Alice to Bob has to be something good enough
> to distinguish it from spam and get Bob's attention without actually
> revealing anything sensitive, which is a whole kettle of usability fish by
> itself, but the act of replying teaches the spam filter that Bob is legit

OK, so you're proposing a totally different system than Whiteout.
When you say this is the "S/MIME default", are you saying S/MIME
software and MTAs automatically do all this, currently?

Regardless, you're arguing that key directories are bad because they
leak metadata, and are unnecessary since the first message(s) from
sender->recipient need to be in plaintext to appease the antispam
system.  So you can piggyback the sender's public key there, and the
recipient's public key on the response.

Provider-based key directories address the first point - if a sender
does their lookup over the same channel they deliver the message,
there's no added metadata leak.  (Yes, this requires provider support,
but you're already assuming that for "teaching" the spam filter).

To your second point: giving up encryption for initial messages is a
big loss.  Moreover, it doesn't solve the entire problem - if you want
reliable automatic encryption, key lookup isn't just a *first* message
problem, it's an *every* message problem, because keys change.

> You're right that people can compare fingerprints (with either protocol). If
> you go above and beyond what Whiteout does then it can be more secure than
> just using Gmail. But you need to obtain the fingerprint/key from somewhere
> out of band. If you're doing that, you don't need the key servers or
> Whiteout CA anymore, and the features discussed in the blog post are
> irrelevant.

Disagree - I think opportunistic encryption and
automatically-distributed keys is better than manual key distribution
for many reasons, e.g.
 - Opportunistic encryption obscures which users are performing
end-to-end auth, protecting those users from standing out, and
protecting all other users by creating uncertainty about which
communications can be attacked without detection.
 - Automatic key distribution eases use of out-of-band methods (e.g.
comparing fingerprints) since you only have to compare small values
and can do it retroactively, instead of having to exchange larger
public keys as a prerequisite to communication.

More here:


>> But is it really true that S/MIME is "much more widely used in
>> corporate deployments than PGP"?  Do you have numbers on that, or more
>> info on who/where all this S/MIME adoption is?
> That's a good question. I admit, I'm repeating something I have frequently
> read, but I don't have data on it. I think S/MIME is not widely deployed by
> any measure either, but it'd only take a handful of large deployments to
> probably exceed the size of the PGP userbase.

It would only take a handful of large PGP deployments to exceed the
PGP userbase.

> For example the US DoD has a pretty large PKI setup with smartcards, etc.

I suspect DoD *likes* complex systems no-one else gets much value
from, so that's also not much of an endorsement.

> It's all anecdotal though. E2E crypto conflicts with legal discoverability
> requirements so I would expect it to be mostly used for signing rather than
> crypto.

Signing is easy though, particularly if no-one verifies....


More information about the Messaging mailing list