From: Black Unicorn <unicorn@access.digex.net>
Date: Sat, 14 May 94 17:45:05 PDT
To: cypherpunks@toad.com
Subject: Forward of sci.crypt web of trust.
Message-ID: <199405150044.AA16061@access2.digex.net>
MIME-Version: 1.0
Content-Type: text/plain


Newsgroups: sci.crypt
Subject: Re: Announcement: Mac Crypto Interface Project



I thought I would forward this to try and provoke discussion:
++++


In article <199405140507.AAA23861@indial1.io.com>,
Terry Ritter <ritter@indial1.io.com> wrote:
> In <strnlghtCpr6DE.7C6@netcom.com> strnlght@netcom.com (David
> Sternlight) writes:
>
>>[...]
>>Thus PGP will either have to be modified to conform to the PEM Certification
>>heirarchy, Apple will have to add web-of-trust provisions to Digisign and
>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>the core system utilities, or PGP Mac users will have to generate their key
>>pairs for PGP separately and use them separately from their certified AOCE
>>key pair used to sign and authenticate.
>
>>[...]
>>Ripem may shortly be adding the new "web-of-trust" addendum to the RFC on
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>PEM certificates. Whether Apple will do so or not remains to be seen.
> ^^^^^^^^^^^^^^^^
>
> I am aware of no formal analysis of "web-of-trust" as a secure
> cryptographic protocol.  Strangely, sci.crypt has held many huge
> discussions on the strength of RSA and IDEA, but few if any on
> the relative difficulty of defeating "web-of-trust."
>
> Failure of "web-of-trust" to identify a "spoofed" invalid key
> leaves the PGP design open to "man-in-the-middle" attack.  While
> many consider such attack unlikely, I wonder just how unlikely
> this cheap and easy method would be when compared to the capital
> and time required to attack even a 512-bit RSA key.  Note that
> the Network itself seems almost the ideal resource for the
> automatic re-routing of messages needed in such an attack.
[...]
> "Web-of-trust" is almost certainly the weakest part of the PGP
> design.
[...]


One of the biggest problems I see with the web of trust in PGP,
at least in the MAC version, is the difficulty in verifying signed
messages.  It's just too complicated to be done on a regular basis.

This is why it is easy to forge usenet messages now-a-days on the net, no 
one checks.

The other flaw here is characterizing the web-of-trust as a 
secure cryptograhpic protocol for your analysis.  Indeed the social aspects of 
the web-of-trust model are what your really referring to.

If a messages is signed by me, and the signature checks out, the public 
key having been verified by some physical exchange or a trusted key 
signature, validity is no longer a cryptographic question.  There is 
little doubt that the message was:

1> Signed by the public key in question.
2> Not altered since.

The real question is does the key belong to who it claims to belong to, 
and has it been compromised?  This is a social question, and makes key 
signatures a shade and not a bit (on/off black/white) question.

It now comes down to judgements about the key management practices of the 
user, and the key signature policy of the key certifiers.

A key certificate is not really a cold "certificate of authenticity,"
it is a voucher, and it's only as good as the authority it comes from.

The reason I prefer this over a centralized system is because the 
potential for compromise of the thousand potential signators on the net 
is minimal.  Because a central authority takes each potential 
certification application as a blank slate, it has basic 
unreliabilities that to me are more disturbing.  All it takes to compromise a 
central authority is a forged identification document.  If you've been to 
college you know this is a joke, if you live in LA you have more 
experience.  Why this is more trustworthy than several signatures from 
diverse, respected net or other personalities is beyond me.

What's wrong with the web of trust right now is that it takes a boolean 
approach to a non-boolean process.

Signatures should instead bear some qualifying information, like "know 
personally" or "physical exchange of key information" or "life long 
friend."  In addition I would like to see a reputation signature as 
well, a signature that says "not only is this a person who I know 
personally, but I respect this person's judgement and perspective in 
intellectual matters."  This in conjunction with the strong 
signature method would make the web-of-trust model much more effective.

Regardless, the greater problem is transparency of operation.
Once that is accomplished, it will be a trivial matter for forged usenet 
posts to be rebuked by readers realtime.


In short, you need to ask not just:

"Is it signed."

But:

"Is it signed by a public key bearing a key certificate from a user I 
trust to make good decisions."

-uni- (Dark)