From: Black Unicorn <unicorn@access.digex.net>
Date: Thu, 19 May 94 06:21:20 PDT
To: cypherpunks@toad.com (Cypherpunks List)
Subject: Forward of alt.security.pgp message
Message-ID: <199405191321.AA13157@access1.digex.net>
MIME-Version: 1.0
Content-Type: text/plain


I thought I would post this to try and spur some discussion.
It is my reply to DS's bid for the security of centralized authority in 
key certification.

In article <strnlghtCpzCqo.Jzr@netcom.com>,
David Sternlight <david@sternlight.com> wrote:
>In article <Cpz2HA.HAG.3@cs.cmu.edu>,
>Rujith S DeSilva <rudis+@cs.cmu.edu> wrote:
>
>>
>>Mr. Sternlight said that RIPEM can have signed messages in which the
>>authenticity of the public-key can be assured in the same message, and that
>>PGP cannot do so.
>>
>>Mr. Repenning's `one-word reply' was a PGP signed message in which the
>>authenticity of the public-key was assured in the same message.
>>
>
>Nope. His message simply provided his public key without any authentication
>other than those he got to sign it. Since those are themselves not
>authenticated except by the few who trust them, his public key is basically
>unauthenticated. What he DID do is prove that the message was authenticated
>with that public key. So what?
>
>Ripem provides a certificate in which a known Certification Authority (in
>most cases RSADSI--eventually the Internet authorities themselves--vouches
>for the sender's public key and one knows what standards have been applied
>to prove identity. That public key is used to sign the message. Thus the
>person is matched to his key and certified by a high-level-of-trust standard
>certifier. That key then is used to authenticate the message.
>
>Putting it another way, I can't get an RSA Certificate without passing a
>number of tests of my identity--for the Unaffiliated User Heirarchy that
>involves proving to a Notary Public I'm me, with 3 pieces of ID 
including a
>photo ID, and making that assertion under penalty of perjury.
>
>Thus the chances are pretty good I'm me and the key is mine.
 
I dispute this.
 
It is a simple matter to circumvent this requirement.  If you would like
to find three or four people on any given weekend who have the capacity
to obtain a "trusted" certification in another name, or any name they
wish, I suggest you try a college bar in Georgetown, or any other college
area for that matter.
 
Even passports are subject to sophisticated and fraudulant application.
 
Your blind trust in the ability of perjury to deter is misplaced, and I
might add, typical of your legal process way of approaching problems.
 
All a centralized authority really accomplishes is to put a cap and a
floor on the threshold to accept a given key as "valid" or that said
keyholder's name really is "Bob Dwyer."
 
PGP claims no such authority.  PGP merely says: This is who has certified
and vouched for the ownership of this key.
 
 
Take my key signing policies.
 
I will sign anothers key in two instances.  1>  If a physical exchange of
key materials is made by the key holder, and if that owner can prove
access to the secret key.  (Signed with my low security key)
 
2>  If I personally know the keyholder and am aquainted in a context
outside of the Internet, and the above criteria can be satisfied.
(Signed with my highsecurity key)
 
Which will you assert is the more reliable?  A central authority that has
never seen or heard of said applicant before?  Or an authority who has
known said applicant for months or even years outside of the internet,
and in a personal capacity?  (My method #2)
 
Until every man, woman, and teen has a smart national ID card based on
fingerprints or retina scan or DNA sampling, centralized authority is 
really a
limiter, and in many cases a deceptive appearance of "secure" certification.
 
(I might add that these methods are unacceptable to me for other reasons).
 
In fact, should you be willing to wager a sufficant amount, and assure my
non-prosecution for perjury, I would be pleased to demonstrate the
ability to circumvent the centralized procedure in whatever reasonable
protocol you would like.  Provided I have an individual who I trust to
sign keys only of those he knows, the only way to circumvent my PGP
authentication requirements is to physically intercept the secret key and
break the passphrase, or to resort to rubber hose cryptoanalysis.  A
tactic that is likely to cause key revocation in any event.
 
>With PGP one
>makes up a key, finds someone or other to sign it, and unless the signers
>are both known and trusted by every reader, one has nothing. RSA IS 
known to
>every reader and their safeguards are published.
 
So what you really have is the potential for untrusted signatures to be
given in PGP.  So?  How is this a limiter to the user who is careful
enough to screen the keys properly?  A centralized key signor authority
is merely laziness.  It is a method forwarded by those who are too sloth to
take security in their own hands and wish to have it instead provided for
them.
 
This is why PGP is often criticized:  Users are simply too lazy to look
out for themselves.  The answer is to limit everyone.  Typical American
policy, shoot for the average every time.  You don't need to learn how to
drive, we'll just make the speed limit safe for any idiot.  You don't
need to know how to brake, we'll just invent ABS.  You don't need to take
responsibility for your own security, we'll just invent a mediocre
standard to do it for you.
 
>Until PGP has some trusted official signers with high security certification
>device protection and identity safeguards, the level of authentication is
>its weakest element.
 
No, until users pay more attention to what really is a "high security
certification." authentication is its weakest element FOR THOSE USERS.
 
When users really take extensive steps to certify, a certification is MORE
secure than a centralized authority.  I'm going to trust my million
dollar transaction to a trusted friends transaction way before I trust
what amounts to the Department of Motor Vehicles' assurance of identity.
 
 
>By the way, in his example he did it wrong. First public key, then signature
>or the poor reader has to invoke PGP twice.
 
And this is a good clue perhaps on his signing procedures and caution in
methodology.
 
>David
 
 
-uni- (Dark)

-- 
073BB885A786F666 nemo repente fuit turpissimus - potestas scientiae in usu est
6E6D4506F6EDBC17 quaere verum ad infinitum, loquitur sub rosa    -    wichtig!