Re: A different way to do key signing parties.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



----- Original Message -----
From: "Phillip Hallam-Baker" <hallam@xxxxxxxxx>
To: "IETF Discussion Mailing List" <ietf@xxxxxxxx>
Sent: Tuesday, April 02, 2019 12:40 AM

One of the challenges I have set for myself with the Mesh is to get as
much security as possible with zero user effort or less. Users won’t
make any effort for security, the sooner we realize this and decide to
live with it, the sooner we can start delivering useful security.

<tp>
Around me, commercial radio stations are now carrying public service
advertisements on the damage that can occur with a weak password and are
broadcasting advice on how to make passwords more secure.

The advice is sound so clearly the powers that be think that they can
get end users to make a greater effort to save themselves from attack.
How effective this will be I cannot tell nor, I suspect, will the
advertisers be able to.

At least they have stopped telling people that a padlock on the web page
means that they are safe - I have tackled that head-on with zero effect.

Tom Petch

I believe that CAs do have a role in supporting end-to-end email
security, just not the one that they are assigned in the S/MIME
ecosystem. WebPKI CAs deliver a useful and important function in
authenticating organizations. Applying that model to individuals doesn’t
work.

The PGP Web of Trust model doesn’t really work either. Not at Internet
scale with four billion users. The Moore bound and the Sybyl attack
cause trust to decay rapidly over distance.

So why am I suggesting key signing parties? And why post this to the
IETF list rather than a security list?

It turns out that if you combine the Web of Trust model with the CA
model, you can achieve higher trust metrics than in either model on its
own. Particularly if you have an append only log involved that allows
you to notarize and timestamp the trust assertions from time to time.

I won’t go into the details of that model here, I have a draft with the
details for those interested.

At one time, the IETF used to hold PGP key signing parties. Well here is
the first problem, OpenPGP is only one app. We really need to secure SSH
as well, that is the technology used to access GIT repos. We should
probably take rather more care than we do with confidentiality of
communications between IETF participants than we do, but integrity
attacks almost always dominate.

So let us imagine that we are all root of our own personal PKI and this
allows us to sign keys for all the applications on all the devices that
we need to use to be secure. That is the purpose of the Mathematical
Mesh.

Now imagine that this personal PKI is designed so that my personal root
key need never expire. Or at least not until I do. So now let's take a
fingerprint of that key. And let's imagine that I provide that
fingerprint to the IETF during registration ‘somehow’ (add encryption to
taste).

So at this point, I am attending a conference at non-trivial expense
(typically $2,500) at which I am well known to most people and will be
registering by presenting ID. Surely there is some way we can leverage
that to gain a useful endorsement of my key fingerprint for at least
IETF purposes. Not least when for IETF purposes, it is the identity that
you know me as for IETF purposes that matters, not any of the other
identities I might have held over an eventful life.

The simplest approach would be to simply enroll the fingerprint and the
credentials I presented in an append only hash chain but that does not
get us to binding of identity.

We could use the fact I am carrying a device (phone) connected to my
Mesh profile and potentially running an app that can present and/or scan
QR codes to create a stronger binding and possibly streamline
registration.

I will elide the cryptography, but assume I am using plenty. The user
experience I am looking at right now would have the conference present a
QR code on a screen that changes every 30 seconds or so or each time it
is scanned. That presents a domain name and a cryptographic challenge.
When scanned using the app, the challenge is put through a one way
function to obtain the locator for a document giving the rest of the
information needed to complete the registration.

So now my app is saying ‘do you want to pick up your IETF badge’ or
whatever and I click yes and that causes the app to post my Mesh
fingerprint to a URI indicated in the document and that causes the desk
to get a note to look for phill’s badge and also tells my conference
scheduling app to load the IETF material. [Quite possibly customized to
include my Directorate etc. private events]

So then I may or may not present government ID to pick up my badge
(depending on conference policy). But this could at least in practice be
captured as part of the same process (or not). And then of course we
throw the resulting assertion in a blockchain (or whatever we decide to
call them after the BitCoin crash).

Now imagine we have been doing this sort of thing for five years. At
this point, we have a pretty solid binding of identity. It is not
perfect but it has a very very high work factor and if the attacker hasn
’t planned the attack in advance, they kinda need a time machine.

It is possible that it is worth while IETF doing this for our own
consumption but of course the real point is to establish a model that
can be applied at all sorts of conferences and in universities and
eventually in high schools and churches, etc.

To be clear, this approach addresses one particular set of validation
concerns but does not serve every purpose. If Alice is a government
official and I am emailing her in that capacity, what is important to me
is that I am interacting with a duly authorized government official, not
‘Alice’. And once you get into strong identity assertions you start to
find pretty quickly that you need pseudonymity modes, even for
government officials, or maybe especially. Yes, I got that one too but
like I said, I am eliding the crypto because that isn’t the important
part, if we can specify the requirements, the crypto is merely a math
problem.





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux