[clug] request for comment: new keysigning protocol

Paul Wayper paulway at mabula.net
Wed Feb 10 05:04:49 MST 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/02/10 07:46, steve jenkin wrote:
> How would you do this differently if done electronically - ie. mediated
> by laptop, Smartphone or PDA (do they still exist?).

In two words, you don't.

As I said, the point of a keysigning is to make sure that the person with a
given name controls the key with the same name.  You have to do that
individually and personally.  The moment you get electronic communications
involved you have a broad spectrum of attacks, either to validate an invalid
identification or invalidate a valid one.  It's just as legitimate to consider
an attacker trying to stop everyone at a keysigning from being able to sign
any key as it is to consider them trying to put their own controlled identity
and/or key in the place of a legitimate one.

People do include small photos in their public key information.  You could
also GPG sign photos, videos, audio, etc with your private key - therefore
someone who checks your public key could verify that that video sounded like
the audio they hear that's also signed by that key and so forth.

But so what?  I could publish cryptographically signed video, audio, picture,
tongue print, etc. all saying I'm "Zaphod Beeblebrox".  I can even produce
what looks like a perfectly good driver's license, passport, intergalactic
space-hopper registration papers, etc.  That video of me nonchalantly yet
quickly showing you the passport is signed by that Zaphod Beeblebrox key.
What does all that mean?

Look for a moment (with, perhaps, a level of pity) at Andrew Chalmers in 2008.
 He offered shots of tequila for anyone willing to sign an otherwise
completely unverified key.  Several people took him up on the offer of
tequila.  That key is still completely unsigned.  His point was to try and
show that people can be bribed into ignoring the verification of identity.
What he did was prove that people will take advantage of any offer where the
tequila giver has no way of checking whether the people will come good on
their reciprocal offer of signing the key.  It sounded like a classic
vulnerability in the web of trust, yet what it really did was prove that
people are now wise to that kind of obvious stupidity, and probably to several
other kinds of less obvious identity mismanagement (eh, Martin Krafft? :-) ).

I can't honestly see any way any amount of signed media can independently
verify anything in a way that just signing someone else's key cannot.

> I would go cross-eyed reading a bazillion 'fingerprints' :-(

Using the Sassaman Projected, you only check one fingerprint - the checksums
of the text document that was distributed with everyone's key on it.  Then
each participant stands up, shows their ID for identification, and states that
their document checksums matched (everyone else's) and that your key
fingerprint on that document is correct.  From this you can assert that the
organisers have not tampered with the key in the master document, and
therefore the person identified by that ID is also in control of the key on
the master document.

Using the tank tread method you do have to check each person's fingerprint,
but people tend to check the last eight digits, since the likelihood of
someone being able to manipulate the key fingerprint to have a similar enough
fingerprint to anyone else on the list is about one in 100,000 (thanks to the
birthday paradox).  Checking fingerprints here isn't a method of verifying the
identity of the person - Zaphod Beeblebrox could still have a perfectly valid
key on that list, but he isn't going to be able to prove his identity to you.

> Registration desk is a good place to confirm identities with photo-id
> and for individuals & the organisers to exchange keys.

Trusting organisers is one of the ways that weakness can find its way into the
system.  Most of the methods of key signing try to avoid relying on the
authority or integrity of the organisers.  The Sassaman Projected method could
be run by someone totally corrupt and yet, if the fingerprints on the document
check out, and the people individually verify their identity and the checksums
and their fingerprint, and you can verify their identity information, it will
still work.

Hope this helps,

Paul
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAktyoOAACgkQu7W0U8VsXYIw3wCcCIqt/4+g/izBNDmplqZuDeqc
jsoAniWIOU4wE/gb35MBZ99v500hKO6f
=7J+f
-----END PGP SIGNATURE-----

More information about the linux mailing list