[Cryptography] OpenPGP and trust

Stuart Longland stuartl at longlandclan.yi.org
Fri Mar 28 21:43:24 EDT 2014 

Hi all,

I've been doing some more thinking (and not at 2AM when I'm ¾ asleep) so 
hopefully my reasoning is a bit more sound. :-)

I'm looking at ways in which I can authenticate users, and the automatic 
agents they might be responsible for, in a distributed manner.  In 
particular, I'm thinking of the amateur radio world but the situation is 
applicable elsewhere too.

In Amateur Radio, encryption is more or less outlawed.  In the US, it's 
not allowed on air, end of story (I hear much vigorous discussion about 
it on the digitalvoice mailing list).  Here in Australia, it's allowed 
for very specific circumstances, such as in emergency communications.  
Regardless of your location, in most places it is frowned upon.

The information I'd be wanting to send isn't of a nature that requires 
great confidentiality, so encryption in this case is pointless.  (i.e. I 
don't care that someone sees me tell a computer to "reboot", but I do 
mind if someone tries rebooting my computer.)  I do however, want to be 
able to identify users and authenticate them without opening them up to 
the risk of impersonation.

Some of these services are accessible by both radio and the Internet, and 
while the latter permits encryption, authentication on both is a real 
issue.

Presently, there are a few means of authentication.  One is call-sign 
databases ran by QRZ.com and other sites.  Some of these cost money 
(after all, they cost money to run) to query.  Unfortunately at best they 
can tell you that the callsign AB2CD is a valid call-sign and is owned by 
"Joe Public" living in some part of the US.

Not a lot of help.  It doesn't tell me that the IP address of 20.30.40.56 
that just requested to log into my site is the legal owner of that call-
sign.

Some might be able to take a password the user supplied to you and check 
that for validity.  This is good over the Internet if you can retrieve 
the password confidentially, but no use if encryption is unavailable.  
Well, you can try it: but then hey, everyone else knows your password now!

OpenPGP does provide a means of me "vouching" for another user.  Suppose 
I wanted to set up a messaging service for my local emergency 
communications group, Brisbane Area WICEN.  We set up a computer and plug 
it into a radio, mount that up on one of the towers we rent.  (They've 
got a couple around SE Queensland.)

The computer is in some comms room, not accessible to me directly, and 
not connected to the Internet, but I want users to be able to 
authenticate themselves over the clear-text link, so the computer can 
differentiate them from some smart-arsed pirate with a $50 hand-held 
radio off eBay and a radio-computer interface.

It'd also be useful from an administrative stand-point to be able to send 
administration commands to that computer, have it perform instructions, 
then get back to me.  A bit like the `uux` command in UUCP.  (And yes, I 
know of "grunt" and do use it over UUCP/SSH already.)

In this example, if I got everyone to create OpenPGP sign-only RSA keys, 
then at a meeting, we held a key-signing party.  That would mean we'd 
have a set of keys, wherein anyone's key in that group could identify 
anyone else's.  The messaging computer would also get its own OpenPGP 
key.  The computer would "sign" the administrators' keys, thus allowing 
anyone whose key has been signed by an administrator, to use that system.

All seems well.

The problem I'm grappling with right now is if I wanted to introduce a 
second system with its own users and cross-authenticate.

As I understand it there are 4 levels of trust:

- unknown: You wouldn't have a clue how good this person is at checking 
identity
- none: You know this person signs anything put under their nose, and so 
you can't trust them to vouch for another's identity
- marginal: You trust them somewhat.
- full: they take identity and trust seriously.

The computer really has no means to check identity, so if anyone signs 
its key, the trust should be considered 'none'.  i.e. the person signing 
does not trust the computer to check identity (because it can't).

The computer could be set up so when a new user comes along, if it allows 
"anonymous" access, it signs the new key with a trust of 'none' (after 
checking it doesn't already have a key for that user) so that user may 
log in.

As for users from another site, I guess the messaging computer from our 
site could sign the other site's key with marginal trust, and that would 
allow keys signed by the other site to log in here.

Now the flaw I think I can spot with this arrangement: suppose a fool of 
a user were to "sign" the computer's key with absolute trust.  Anyone who 
had signed their key with marginal or absolute trust would now implicitly 
trust any key that computer had signed.  A big problem if that person had 
an admin key.

I can revoke a signature, question is what stops someone from submitting 
an old version of a key?  Does OpenPGP merge trust updates coming from 
multiple sources?

Am I better to sign signatures to indicate identity, or would I be better 
storing a fingerprint of their signature elsewhere and referring to that 
to check authentication?  Or does attributes like the mean-shortest-
distance serve well enough?

Regards,
Stuart Longland

More information about the cryptography mailing list