1996-08-06 - PGP public key servers are NOT useful!

Header Data

From: John Anonymous MacDonald <remailer@cypherpunks.ca>
To: cypherpunks@toad.com
Message Hash: 7a06525860fb49155e8eddd09f285bd296f0e77ce4fd50bf7431a9ff1c4a58c1
Message ID: <199608060552.WAA04209@abraham.cs.berkeley.edu>
Reply To: <199608052141.QAA15347@bluestem.prairienet.org>
UTC Datetime: 1996-08-06 08:16:43 UTC
Raw Date: Tue, 6 Aug 1996 16:16:43 +0800

Raw message

From: John Anonymous MacDonald <remailer@cypherpunks.ca>
Date: Tue, 6 Aug 1996 16:16:43 +0800
To: cypherpunks@toad.com
Subject: PGP public key servers are NOT useful!
In-Reply-To: <199608052141.QAA15347@bluestem.prairienet.org>
Message-ID: <199608060552.WAA04209@abraham.cs.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain


"David E. Smith" <dsmith@prairienet.org> writes:
> Over the last couple of weeks, I've noticed a lot
> of subscribers who PGP clearsign their messages,
> but who haven't uploaded their keys to any of
> the public keyservers.
> 
> Those keys are most useful when they're
> available to people who might want to use them,
> so I'm asking those of you who haven't sent
> them to a keyserver to do so.

I, for one, make it a point of never using the PGP public key servers.
I make my key available by finger, and always check for people's keys
through finger.  The problem with the PGP public key servers is that
one has absolutely no control over what gets uploaded there in one's
own name.

If someone really wanted to prevent me from using PGP, for example,
that person could just upload 500 different PGP keys to the key
servers all with my E-mail address as the key ID.  Even if you already
have a PGP key of someone you trust who has certified my key, are you
really going to verify all 500 other keys until you find the one that
is certified by the real trusted person?

Moreover, what's to stop someone from downloading my key, adding an ID
"kkk grand wizard", signing it with a fake "David Duke" key, and
uploading the new signature to the PGP servers.  I don't want anyone
to be able to put such things on my PGP key in the place where most
people will go looking for it first.

Deleting a key from a PGP key server is probably even more difficult
than getting an error corrected on your credit report.  Even if one
keyserver deletes it, it will probably end up propagating there again
from another server.

The finger approach is far from perfect, because not everyone can run
a finger daemon accessible to the net at large.  Moreover, even people
with PGP keys in their .plan files often can't be fingered at their
mail hubs (in fact, people often receive E-mail at addresses which are
only DNS "MX records" which don't have corresponding IP addresses).

Thus, I'm not saying finger is the solution.  However, at least people
have control over the plausible PGP key finger locations in a way that
fits sensibly with the key ID's sought.  In other words, if I have
absolutely no affiliation with Berkeley, I should not be able to stick
a PGP key with an ID ending "<..@cs.berkeley.edu>" where people will
primarily look for such keys.  (Of course I'm welcome put the key any
other place I have access to.)

Note finally that the key distribution problem addressed by the key
servers has nothing to do with key certification.  I think one of
PGP's greatest strenghts is that anyone can certify any one else's
public key.  I hate the idea of a hierarchical system where you might
have to pay $20 and wait 3 days to get a public key (Verasign I gather
does this for SSL certificates, though the cost/wait are probably
completely different).  Thus, while I'm advocating some kind of
hierarchical key distribution mechanism, I absolutely don't want to
see that kind of structure imposed on key certification.

In fact, the key distribution problem is just the opposite of key
certification in that one wants to prevent unwanted certificates and
keys from being interpreted as condoned by the supposed owner of the
PGP key.  Even if my key really was certified by someone a year ago,
if I've now forgotten the passphrase I don't want to keep having
people grab my old key.  I also don't want random attacks on my
character appended to my PGP key where most people will seek it.

Finally, for those who desire the "light security" of encrypting with
my PGP public key even though they can't verify any of the
certificates (and I do get plenty of such PGP-encrypted mail), it
might be nice to have a system in place that at least required an
active network attack to bypass.  You might argue that this would be
worse as it would encourage more people to use untrusted PGP keys.
However, consider SSH's mechanism whereby it acquires public keys
automatically at first and then keeps verifying the keys on subsequent
sessions.  It's not perfect, but I think it definitely improves the
security of the situation.  Anyway, if the NSA started mounting
massive active attacks from the internet backbones, we would at least
find out about it soon enough.

[Posted anonymously to prevent some wise guy from getting the
brilliant idea of uploading 500 fake PGP keys in my name...]





Thread