Keyservers and Spam

bear bear at sonic.net
Wed Jun 11 13:27:25 EDT 2003



On Tue, 10 Jun 2003 Jill.Ramonsky at Aculab.com wrote:

>
>> -----Original Message-----
>> From: David Honig
>> Sent: Monday, June 09, 2003 6:42 PM
>> To: Jill.Ramonsky at Aculab.com; cryptography at metzdowd.com
>> Subject: Re: Keyservers and Spam
>>
>> Why not publish your key under a bogus name that goes no-where?
>
>The answer is simple. I cannot publish a PGP under a false name, because if
>I did, who would sign it to attest that the genuinely did belong to the
>person to whom it claimed to belong? Would you?
>
>If _anyone_ signed a key with a bogus name on it, and got found out, then
>_their_ credibility as a key-signer would go down the plug-hole, which in
>turn would mean that PGP users would decrease their trust in the key of the
>signer, which in turn would mean that any OTHER key signed by that signer
>would immediately become less trusted.

That is the theory.  In practice, as long as the PGP "web of trust"
depends on connections made through signers not personally known to
the person depending on the security, it hardly works.  There is
very little verification done in the web of trust, not even for
consistency.  There's no way for it to propagate negative information,
(such as Bob's mention of having observed Alice verifying keys to
people not known to her) nor, where nyms are easy to come by, any
way for negative information to attach to a given person.

In order for the web of trust to work, it would have to be better
for your trust profile to be a known spammer and fraudster than to
be an unknown person.  Because as long as known spammers and fraudsters
can become unknown people just by grabbing another nym, there's no
difference.

I don't particularly like the commercial certs, but the thousand
bucks or so ought to serve as a "bond", in that if people untrust
the keys, there is real value that will be lost.  That makes it
require some expenditure of resources to grab a new nym.  However,
even when provoked - even when root certs have been **SOLD** -
people still don't untrust them, because the news of the compromise
doesn't propagate around triggering revokes on individual systems.


>I, personally, would never sign a bogus key. If I ever did find someone who
>was prepared to sign a bogus key (including one which was created by me),
>then MY trust in THEM would immediately drop to zero. And what good to me is
>a key which is signed by someone whose authentication credentials I don't
>trust?
>
>If we allow this, then the entire web-of-trust disintegrates.

I consider it to have already disintegrated, long ago.  Trust extended
to unkown people is a bogus concept.

>So ... if you believe (as I do) that a PGP key is untrustworthy unless there
>is a chain of signers reaching from you to it, matching the settings in your
>PGP configuration file, then posting a bogus key becomes completely
>pointless.
>
>On the other hand ... if the key is NOT bogus, then it has my real name on
>it, and the spam problem remains.

It's worthwhile, in some sense, to attach a key to a nym.  It doesn't mean
the key is bogus, it just means it's a nym instead of a name.  When I
correspond with entities known to my mailbox as "Madame Ovary" and
"Guadalupe de Loop"  it's not because I believe that those are their actual
names.  However, there is a certain level of trust, because I've been
corresponding with these entities for over ten years.  They are no longer
"unknown people" to me, regardless of the fact that I couldn't link either
of them to a particular email address, a legal name, or a photo.  Would I
sign Madame O's key, attesting that he/she/they/it are/is a persistent
pseudonymous entity known to me more than ten years and never observed to
be part of a scam or fraud?  Yes, I would. Would that be meaningful to anyone
else?  I dunno.

>I have seen very little discussion of this point, anywhere. The few replies
>I have had to my original question suggest that there simply _is_ no
>solution, except live with it. Either don't publish your key (which means
>that no-one can find your key even if they have a priori knowledge of your
>email address), or do (and accept the price in spam). This seems to be the
>reality of how it is. This being the case, I am now starting to wonder if it
>might be time to invent a new PGP keyserver protocol which addresses this
>issue. Keyservers could then start to implement the new protocol, and, in
>time, the problem would be solved. Does this make sense? Is this reasonable?

It's actually not too difficult.  If keys were stored by a one-way hash on
the email address, rather than by the address, there'd be no need for the
keyserver to even know the email addresses.  You'd query it by sending it
the hash of the email address, and it would respond by sending you the
associated key.

You could prevent keyservers from being used for address verification
with a "blind query" where the Keyserver sends back a key whether or
not there is a key for that address.  The "key" would be pseudorandom
bits based on the query if the address is not listed, or the actual
key if it is.  Then there'd be no way for someone to obtain or verify
an email address from a keyserver, but they could still use the email
address to get the key, if it existed, from the keyserver.  The
downside would be that you'd run the risk of sending encrypted mail to
someone with no key, but that doesn't cause too much of a problem.

				Bear




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list