[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Forward of sci.crypt web of trust.
Newsgroups: sci.crypt
Subject: Re: Announcement: Mac Crypto Interface Project
I thought I would forward this to try and provoke discussion:
++++
In article <[email protected]>,
Terry Ritter <[email protected]> wrote:
> In <[email protected]> [email protected] (David
> Sternlight) writes:
>
>>[...]
>>Thus PGP will either have to be modified to conform to the PEM Certification
>>heirarchy, Apple will have to add web-of-trust provisions to Digisign and
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>the core system utilities, or PGP Mac users will have to generate their key
>>pairs for PGP separately and use them separately from their certified AOCE
>>key pair used to sign and authenticate.
>
>>[...]
>>Ripem may shortly be adding the new "web-of-trust" addendum to the RFC on
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>PEM certificates. Whether Apple will do so or not remains to be seen.
> ^^^^^^^^^^^^^^^^
>
> I am aware of no formal analysis of "web-of-trust" as a secure
> cryptographic protocol. Strangely, sci.crypt has held many huge
> discussions on the strength of RSA and IDEA, but few if any on
> the relative difficulty of defeating "web-of-trust."
>
> Failure of "web-of-trust" to identify a "spoofed" invalid key
> leaves the PGP design open to "man-in-the-middle" attack. While
> many consider such attack unlikely, I wonder just how unlikely
> this cheap and easy method would be when compared to the capital
> and time required to attack even a 512-bit RSA key. Note that
> the Network itself seems almost the ideal resource for the
> automatic re-routing of messages needed in such an attack.
[...]
> "Web-of-trust" is almost certainly the weakest part of the PGP
> design.
[...]
One of the biggest problems I see with the web of trust in PGP,
at least in the MAC version, is the difficulty in verifying signed
messages. It's just too complicated to be done on a regular basis.
This is why it is easy to forge usenet messages now-a-days on the net, no
one checks.
The other flaw here is characterizing the web-of-trust as a
secure cryptograhpic protocol for your analysis. Indeed the social aspects of
the web-of-trust model are what your really referring to.
If a messages is signed by me, and the signature checks out, the public
key having been verified by some physical exchange or a trusted key
signature, validity is no longer a cryptographic question. There is
little doubt that the message was:
1> Signed by the public key in question.
2> Not altered since.
The real question is does the key belong to who it claims to belong to,
and has it been compromised? This is a social question, and makes key
signatures a shade and not a bit (on/off black/white) question.
It now comes down to judgements about the key management practices of the
user, and the key signature policy of the key certifiers.
A key certificate is not really a cold "certificate of authenticity,"
it is a voucher, and it's only as good as the authority it comes from.
The reason I prefer this over a centralized system is because the
potential for compromise of the thousand potential signators on the net
is minimal. Because a central authority takes each potential
certification application as a blank slate, it has basic
unreliabilities that to me are more disturbing. All it takes to compromise a
central authority is a forged identification document. If you've been to
college you know this is a joke, if you live in LA you have more
experience. Why this is more trustworthy than several signatures from
diverse, respected net or other personalities is beyond me.
What's wrong with the web of trust right now is that it takes a boolean
approach to a non-boolean process.
Signatures should instead bear some qualifying information, like "know
personally" or "physical exchange of key information" or "life long
friend." In addition I would like to see a reputation signature as
well, a signature that says "not only is this a person who I know
personally, but I respect this person's judgement and perspective in
intellectual matters." This in conjunction with the strong
signature method would make the web-of-trust model much more effective.
Regardless, the greater problem is transparency of operation.
Once that is accomplished, it will be a trivial matter for forged usenet
posts to be rebuked by readers realtime.
In short, you need to ask not just:
"Is it signed."
But:
"Is it signed by a public key bearing a key certificate from a user I
trust to make good decisions."
-uni- (Dark)