Web(logs) of trust

Now that Krishnan Nair Srijith‘s OpenPGPComment plugin lets you accept PGP signed comments, and displays them in raw form for anyone who wants to verify the signature, and a future version will let you verify PGP comments server-side, rather than requiring that interested readers verify them for themselves, the time may come when we have to think about what it actually means to have PGP signed comments, and what various verifications really mean. (Of course, since it’s shiny and new, I already dragged it back to my nest, and you’re welcome to sign your comments here. I’m just not quite sure what it really means, and what’s best to do, just yet.)

In the non-weblog-comment world, PGP signing works something like this:

PGP can do a couple of things for you: it can let you verify that something (usually email) came from the person it appears to have come from, and wasn’t altered at all along the way, and it can let you encrypt the something so that nobody but the recipient can read it. Ignoring encryption (something PGP advocates wish you wouldn’t do, since they want you to encrypt every single email so that the really secret ones don’t stand out), verification has two parts: who was it, and was it altered?

When you start using PGP, you generate two keys (think of them as magic decoder rings, only not from a cereal box), one private one that you keep, and have to type a passphrase (like a password, only longer and harder to type and remember) to use, and one public one that you give out to anyone who might need to verify something you signed. In fact, you’ll probably upload it to the public keyservers, so that anyone looking for your key can find it with your name or email address.

With the public key that goes with the private key that signed a message, anyone can verify that it wasn’t altered between the time it was signed and the time it was received. However, that doesn’t tell you anything about who signed it, only that nothing happened to it afterward. Anyone can upload a key to the keyservers with any name and email they like. pgp.mit.edu lists two keys for Dave Winer, one with a scripting.com email address that I think I remember Dave used to use, and another with a well.com address that may or may not be his – I don’t have any way of knowing, either way. Either or both keys could be his, or they could be his enemies keys, planted there to wait for someone to misunderstand.

In the normal way of things, if I got a signed email from Dave that I needed to verify, I could do several things. I could see if he has posted his public key somewhere on his website (though that’s only as secure as a web server, a thought that makes real crypto fans choke). I could call him on the phone, and ask him to read off the “fingerprint” for his key (a string of hexadecimal digits that identify a particular key-pair), though since I don’t know his voice, I could get a malicious passer-by who happened to know the fingerprint for his own key off the top of his head, and could thus persuade me that Dave wasn’t Dave, but the passer-by was, or I could do the right thing, meet Dave in person, look at two forms of picture ID to verify that I really was talking to him, and then accept his word that the fingerprint he tells me is for his key is his.

That’s fine for people that you actually do meet in person, but having to go visit every person who ever sends you signed mail, while sometimes fun, would be a bit expensive. That’s where what’s known as the “web of trust” comes in. Rather than having to go to Boston to check Dave’s key in person, suppose I run into someone who gets around: Joi Ito would do nicely. We exchange stacks of photo IDs, put on our tinfoil hats, and verify that we have the correct public keys for each other. But then, we use our own keys to sign each other’s keys, and upload them to the keyservers. Now anyone who downloads our keys can determine that we have verified each other. I don’t even need to know about Joi going on to Boston and signing Dave’s key, because when I first download Dave’s key, I’ll see that Joi, who I already checked out, has checked out Dave and found him to be real.

That’s fine as far as it goes, which is pretty much email among relatively small groups of people who meet in person. What about weblog comments?

We have a rather different problem to solve. For the traditional web of trust, the goal is to ensure that a key is owned by a flesh and blood person whose name is the name associated with the key. There may or may not be some casual verification of the associated email address, but mainly it’s about being sure that the name is right. For us, the name is a convenience. It may be a person’s actual name, it may be a pseudonym, it may be a nickname that’s better known than the person’s actual name, but in any case it’s just a convenient tag, to remember that StavrosTheWonderChicken is who writes emptybottle.com, or Dave Winer is who writes scripting.com. Whether you know him as Aquarion or by his real name, what matters in this context is that you know he writes at aquarionics.com.

For a signed comment, although verifying that it hasn’t been altered since it was signed is the same, how and what we want to verify about the signer’s identity is rather different. If I see a signed comment from someone named Mark Pilgrim, I don’t really have any interest in whether or not someone else has verified that the person who signed it is (one of possibly many people) actually named Mark Pilgrim. What I want to know is whether or not it was Mark Pilgrim of diveintomark.org. It doesn’t matter in the least to me whether or not a dozen people whose driver’s licenses I’ve seen have seen that the person who signed that comment has a driver’s license that says his name is Mark Pilgrim. All I want to know is whether or not he’s the person who controls diveintomark.org.

For us, it doesn’t matter who you are: what matters is where you write, and where you link. In this realm, it doesn’t matter that my driver’s license says my name is Phil Ringnalda. What matters is that I control philringnalda.com, and I can link from there to philringnalda.com/public_key.txt. If you verify a comment with a key you get from a keyserver that says it belongs to someone named Phil Ringnalda, you don’t know a thing you didn’t know before, but if you verify it with a key that you find on my server, linked from my main page, then unless I’ve gotten sloppy and let someone own me, you know it’s from me. It doesn’t matter how many people who know far more about PGP and crypto than me say “just use the keyservers, that’s what they are there for” – that’s solving a different problem entirely.

11 Comments

Comment by Srijith #
2004-02-28 08:25:40

Your points about associating an identity with a domain name rather than a name and its associated email address is well taken and I agree that it is a practical way to verify a signed message in a weblog context. But several issues bother me:

1. Using a file kept in your domain as a point of distribution of your public key creates a single point of failure. Even though getting ”owned” is indeed sloppy, not everyone has the fortune of controlling their own servers.

2. The PGP/GPG community is just about getting their acts together on the Web of Trust model and the onslaught of this alternative definition could spell trouble. Now we will have two webs of trust. One for the blogging world and one for non-blogging.

3. Does all blogging services like livejournal etc. allow users to upload files or edit the ”head” section of the HTML to declare the location of the public key URl (assuming you use the ”link rel=”pgpkey” type=”application/pgp-keys”” style to help crawling)?

4. What happens to commenter who don’t have a blog? Do we fall back on keys got from keyservers?

 
Comment by Jacques Distler #
2004-02-28 08:58:06

1. Using a file kept in your domain as a point of distribution of your public key creates a single point of failure. Even though getting ”owned” is indeed sloppy, not everyone has the fortune of controlling their own servers.

Presumably, ”getting ’owned’” is a temporary condition.

If the objective is to inject a bogus PGP public key, so that the perpetrator can impersonate the victim in signing blog comments, this can more easily be accomplished (in what is presumably your alternative means of key-distribution) by submitting that key to the keyserver. No cracking is necessary. A given email address can be associated with multiple public keys.

Having a <link> on your web page provides some modicum of protection, by stating which key(s) you wish to be authoritative, when used to sign blog comments.

I cannot emphasize strongly enough that, just because a key is found on the keyserver means nothing about its authenticity.

2. The PGP/GPG community is just about getting their acts together on the Web of Trust model and the onslaught of this alternative definition could spell trouble. Now we will have two webs of trust. One for the blogging world and one for non-blogging.

”Just getting their act together”? What’s happening now, that’s different from 5 years ago (or whenever)?

I would say that the exigencies of the ”Web-of-Trust” for email are different from those of, say, blog comments. With email, one recipient needs to establish the identity of one sender, who — presumably — is personally known to the recipient. In blog comments, many readers wish to establish the identity of a commenter who is not, generally, personally known to them.

What works in one regime does not necessarily work in the other.

3. Does all blogging services like livejournal etc. allow users to upload files or edit the ”head” section of the HTML to declare the location of the public key URl (assuming you use the ”link rel=”pgpkey” type=”application/pgp-keys”” style to help crawling)?

A good question. Even if they don’t, if this becomes a widely-used convention, perhaps they might be convinced to add (a facility for including) this <link> tag, as a service to their users.

4. What happens to commenter who don’t have a blog? Do we fall back on keys got from keyservers?

I am tempted to say ”yes,” but — as I explained above — this provides no assurance that the person who owns the email address authored the comment. Isn’t it more harmful, in such a case, to tell the reader that this is a valid, PGP-signed comment?

Comment by Phil Ringnalda #
2004-02-28 21:19:03

Uh-oh, doesn’t the temporary nature of getting owned argue against doing server-side verification? At the least, you’ll need [verified bad] [reverify] [see for yourself], and reverify has to trigger an entry rebuild.

And I’m not even arguing that because I fear Crypt::OpenPGP, having realized that Dreamhost has both PGP and GnuPG installed, and there are nice easy to install OO interfaces to both on CPAN.

Comment by Jacques Distler #
2004-02-28 22:22:58

I think Krishnan was referring to the commenter’s website being owned, and the commenter’s public key replaced by a bogus one.

My vision for the server-side verification thing is that it would be done dynamically (on the same dynamically-generated page which currently sports the raw PGP-signed comment). No entry-rebuilds involved.

My reason for this is simply that the first verification will be somewhat slow: fetch the commenters web page, parse the HTML to obtain the URL of his public keyfile, fetch the keyfile, add the key to the local keyring and finally verify the comment. That’s a really painful delay, if you are going to verify the comment before adding it to the page. Once the key is stored on a local keychain, subsequent verifications are very fast, so there’s no great penalty in doing them dynamically.

I think the consequences of being ’owned’ are never pretty. But I don’t think server-side comment verification makes them any worse.

Comment by Phil Ringnalda #
2004-02-28 22:44:12

Ah, doing it dynamically would make a difference: I was picturing a static yes/no in the page. In which case, you get your posted public key owned, a fake comment gets verified good server-side, you replace your posted key with the real one, and you then beg everyone with server-side verification to rebuild so that the false comments will be exposed as not by you.

Um, but since you added the key to your keyring, I still have to beg you to remove it and re-add it, don’t I?

Comment by Jacques Distler #
2004-02-28 23:44:13

Let’s distinguish two scenarios

  1. Commenter’s website is ’owned’, and his public key replaced. The cracker then goes around leaving obnoxious comments in the commenter’s name on various blogs. (This seems slightly far-fetched. Maybe I don’t think like a cracker, but leaving obnoxious comments on third-party blogs is not the first thing I’d think of doing.) The cracker has only a limited time-window for doing this. Once the crack has been discovered, and the bogus key replaced by the real one, he can no longer pull it off.

    In the meantime, however, he has gotten his bogus key added to the keychains at several blogs. He can then freely comment there, until his victim complains and gets the bogus key removed from those keychains.

    I don’t see a way around this. From the victim’s point of view, this is just one more task associated to cleaning up after being ’owned’. If his public key was replaced in the attack, he needs to worry about where the bogus key might have been used in the interim.

  2. The blog owner’s site is ’owned’ and the local keyring replaced. This one is obvious. Delete the bogus keyring. Subsequent verifications will re-fetch the commenters’ public keys and store them on a new keyring.

Neither scenario seems particularly fatal (i.e. no worse than being cracked in the first place).

 
 
 
 
 
Comment by Geodog #
2004-02-28 20:52:14

I like this. Dave Sifry is using a similar system for profiles over on Techorati to verify that you ”own” a weblog.

I was going to sign this with my PGP Key, but I just realized that I left it on my other computer. Oh. Well.

Thanks

Comment by Geodog #
2004-02-29 23:51:06

Phil,

I tried again, from my computer with my pgp software on it. Could you
let me know if it works on your end?

Thanks,

Comment by Phil Ringnalda #
2004-03-01 00:01:18

Works like a charm. As long as nobody has recently cracked your server for the sole purpose of uploading a fake key just to fool me, I’d be willing to say that you’re you.

 
 
 
2004-02-28 09:01:18

”Point of Trust” for bloggers?

Phil Ringnalda in his post Web(logs) of trust gives a good summary of the dilemma facing the use of signed comments in weblog context. However, his views set me…

 
Trackback by Musings #
2004-02-28 21:05:59

PGP-Signed Comments

On the internet, nobody knows you’re a dog. In one way, that’s great. If you want to be anonymous, there’s…

 
Name (required)
E-mail (required - never shown publicly)
URI
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <del datetime="" cite=""> <dd> <dl> <dt> <em> <i> <ins datetime="" cite=""> <kbd> <li> <ol> <p> <pre> <q cite=""> <samp> <strong> <sub> <sup> <ul> in your comment.