[messaging] Verified key transitions (was: TOFU to ease PGP key discovery)

Trevor Perrin trevp at trevp.net
Wed Feb 11 20:47:47 PST 2015

On Wed, Feb 11, 2015 at 1:37 PM, elijah <elijah at riseup.net> wrote:
> On 02/10/2015 10:36 PM, Trevor Perrin wrote:
>> Do you mean this:
>>  - When you replace your long-term key, the old key signs the new (and
>> maybe vice versa)?
>>  - When someone presents their new key with correct signatures, you
>> silently replace the old one in your local trust store (no key change
>> warning)
>> It avoids the warning in (2), but adds complexity - a public key no
>> longer matches one fingerprint, now it can be verified by any
>> fingerprint that chains to it.  So your protocols have to deal with
>> these chains, and users will encounter situations where they had one
>> fingerprint for Alice before talking to her, and a different one
>> after.
> I think we have established that keys will change, regardless of our
> desires. Any "automatic" key manager will need to deal with changing
> keys anyway.

I agree long-term keys will change, but mostly when either:
 * users reinstall or switch devices and don't transfer their private key
 * users no longer trust their private key

In the former case, users who won't bother to do a key transfer won't
bother to do a "verified transition" (and key transfer is the more
useful of the two, as it can also support the multidevice case,
doesn't add signature overhead, and doesn't alter the fingerprint).

In the latter case:  I think it's good that when replacing an old key
your correspondents are warned and encouraged to verify the new key.
The premise is that the old key is untrustworthy, maybe compromised -
so we *shouldn't* trust what it says about the new key.


More importantly, a simple model benefits users who have to reason
about it.  For example:
 * When you see a new key for someone you get warned and should verify it
 * If someone steals your key they can pretend to be you, so you
should change it

Now add "verified transitions":
 * When you see a new key you *sometimes* get warned, but sometimes it
just updates your address book without telling you.
 * There are now two ways to change your key for users to decide
between.  And good luck getting advice from your nerd friends or the
Internet: "Replacing your key frequently makes you more secure - press
this button as often as possible, ideally every day - or message!"

Oh, and you have to implement this:  Without this it's easy to check a
message against your local trust store - the public key matches (good)
or not (bad).

But now a non-matching key *might* be good if you can find a signature
chain for it.  Do you add that signature chain to every message?  Or
incur the lookup costs back to some server where the sender's history
is stored?

It's nice to think you can tuck these features away for advanced
users, but when you change the system model it affects all users.

Features are not free!


More information about the Messaging mailing list