----- Original Message ----- From: "Phillip Hallam-Baker" <hallam@xxxxxxxxx> To: "IETF Discussion Mailing List" <ietf@xxxxxxxx> Sent: Tuesday, April 02, 2019 12:40 AM One of the challenges I have set for myself with the Mesh is to get as much security as possible with zero user effort or less. Users won’t make any effort for security, the sooner we realize this and decide to live with it, the sooner we can start delivering useful security. <tp> Around me, commercial radio stations are now carrying public service advertisements on the damage that can occur with a weak password and are broadcasting advice on how to make passwords more secure. The advice is sound so clearly the powers that be think that they can get end users to make a greater effort to save themselves from attack. How effective this will be I cannot tell nor, I suspect, will the advertisers be able to. At least they have stopped telling people that a padlock on the web page means that they are safe - I have tackled that head-on with zero effect. Tom Petch I believe that CAs do have a role in supporting end-to-end email security, just not the one that they are assigned in the S/MIME ecosystem. WebPKI CAs deliver a useful and important function in authenticating organizations. Applying that model to individuals doesn’t work. The PGP Web of Trust model doesn’t really work either. Not at Internet scale with four billion users. The Moore bound and the Sybyl attack cause trust to decay rapidly over distance. So why am I suggesting key signing parties? And why post this to the IETF list rather than a security list? It turns out that if you combine the Web of Trust model with the CA model, you can achieve higher trust metrics than in either model on its own. Particularly if you have an append only log involved that allows you to notarize and timestamp the trust assertions from time to time. I won’t go into the details of that model here, I have a draft with the details for those interested. At one time, the IETF used to hold PGP key signing parties. Well here is the first problem, OpenPGP is only one app. We really need to secure SSH as well, that is the technology used to access GIT repos. We should probably take rather more care than we do with confidentiality of communications between IETF participants than we do, but integrity attacks almost always dominate. So let us imagine that we are all root of our own personal PKI and this allows us to sign keys for all the applications on all the devices that we need to use to be secure. That is the purpose of the Mathematical Mesh. Now imagine that this personal PKI is designed so that my personal root key need never expire. Or at least not until I do. So now let's take a fingerprint of that key. And let's imagine that I provide that fingerprint to the IETF during registration ‘somehow’ (add encryption to taste). So at this point, I am attending a conference at non-trivial expense (typically $2,500) at which I am well known to most people and will be registering by presenting ID. Surely there is some way we can leverage that to gain a useful endorsement of my key fingerprint for at least IETF purposes. Not least when for IETF purposes, it is the identity that you know me as for IETF purposes that matters, not any of the other identities I might have held over an eventful life. The simplest approach would be to simply enroll the fingerprint and the credentials I presented in an append only hash chain but that does not get us to binding of identity. We could use the fact I am carrying a device (phone) connected to my Mesh profile and potentially running an app that can present and/or scan QR codes to create a stronger binding and possibly streamline registration. I will elide the cryptography, but assume I am using plenty. The user experience I am looking at right now would have the conference present a QR code on a screen that changes every 30 seconds or so or each time it is scanned. That presents a domain name and a cryptographic challenge. When scanned using the app, the challenge is put through a one way function to obtain the locator for a document giving the rest of the information needed to complete the registration. So now my app is saying ‘do you want to pick up your IETF badge’ or whatever and I click yes and that causes the app to post my Mesh fingerprint to a URI indicated in the document and that causes the desk to get a note to look for phill’s badge and also tells my conference scheduling app to load the IETF material. [Quite possibly customized to include my Directorate etc. private events] So then I may or may not present government ID to pick up my badge (depending on conference policy). But this could at least in practice be captured as part of the same process (or not). And then of course we throw the resulting assertion in a blockchain (or whatever we decide to call them after the BitCoin crash). Now imagine we have been doing this sort of thing for five years. At this point, we have a pretty solid binding of identity. It is not perfect but it has a very very high work factor and if the attacker hasn ’t planned the attack in advance, they kinda need a time machine. It is possible that it is worth while IETF doing this for our own consumption but of course the real point is to establish a model that can be applied at all sorts of conferences and in universities and eventually in high schools and churches, etc. To be clear, this approach addresses one particular set of validation concerns but does not serve every purpose. If Alice is a government official and I am emailing her in that capacity, what is important to me is that I am interacting with a duly authorized government official, not ‘Alice’. And once you get into strong identity assertions you start to find pretty quickly that you need pseudonymity modes, even for government officials, or maybe especially. Yes, I got that one too but like I said, I am eliding the crypto because that isn’t the important part, if we can specify the requirements, the crypto is merely a math problem.