[Cryptography] PGP Key Signing parties (Trust Link Grid)

ianG iang at iang.org
Fri Nov 1 04:48:19 EDT 2013 

Sounds good, quickly answering, apologies as am busy.

On 31/10/13 19:17 PM, Ralf Senderek wrote:
>
> I'd like to fuel the interest in a more closely knit Web of Trust for
> PGP keys with a bit of history.
>
> In 1998 a book was published (in very small numbers) that contained a
> few hundred
> people's public keys with their fingerprints, mainly from academic circles.
> It was called "The Global Trust Register 1998". The book certainly
> helped me to establish
> a trust chain to the PGP key used to sign the PGP source code at the time.
>
> As the book put certain prominent PGP keys in print it helped to make
> circulation
> of faked keys more difficult. But it certainly was not able to provide
> an infrastructure
> that anyone could use to gain first-hand-knowledge of PGP keys.
>
> In 2001 I discussed a proposal with Ross Anderson that might have closed
> that gap
> but it was not being advanced at the time, so I'll describe it briefly
> here for evaluation:
>
>     The Trust Link Grid (TLG)
>
>     "The initiative is based on the assistance of a number of volunteers
> to make sure that
>     a reliable public PGP key is in reach of 100 Km globally, by
> establishing a grid of nodes
>     that publish first-hand-knowledge about PGP keys, that cannot be
> forged easily.


Let me talk a bit about CAcert and perhaps other CAs as it presents an 
illuminating counterpoint.  CAcert provides that as a network of 
Assurers.  There are thousands of them across the planet, with about a 
third concentrated in the Germanic belt of countries.


>     The TLG should provide a solution to this problem:
>
>       "How can anyone gather enough evidence based on non-electronic
>        first-hand personal knowledge to be sure that a key of whatever
>        kind is really used by a certain individual to the best of
>        the knowledge of those who published the first-hand information."


CAcert does their assurance using paper evidence and electronic 
distribution.  The whole system is backed up by Arbitration so that any 
particular claim can be tested by independent individuals.

>     I hope it will be possible to encourage individuals to act as
>     a "Trust Link Node", as a contact person for others to confirm
>     some first-hand information to them. I don't know how many
>     volunteers would be needed but to cover Britain twenty individuals
>     would make sure that a reliable key is no more than 6o Km away.


Sounds about right.  But don't treat it as a statistically-even graph 
across the country, treat is a social network issue.  That's the way to 
propogate it.


>     Each node creates a Trust-Link-Key and verifies his key to the
>     node in the north, east, south and west. That takes no more than
>     400 Km of driving each, leaving a "Trust-Link-Statement" with
>     every person contacted.


People don't do that.  What they do is travel to the nearest 'meet' of 
everyone.  Forget geography and distances, concentrate on community.


>     Every node publishes the TL-key together with at least four
>     TL-statements on a website, which confirm that there had been
>     a personal contact and a key verification procedure that meets
>     certain standards (like A-level keys in GTR).
>
>     This should not absorb too much energy. And with every additional
>     personal contact (at conferences or whatever) between two volunteers
>     a node can collect new TL-statements to be published on their
>     local website as well." (Jan. 2001)
>
> This decentralized approach does not need a globally agreed-on standard
> in contrast it only uses signed ascii messages stating first-hand knowledge
> in plain english, that has been gathered without electronic means but is
> verifiable by checking the TL-statements for any path you like.


Au contraire!  What you describe *is the globally agreed-on standard* :

"Each person shall sign a message stating that they have met the person 
in first-hand and established various keys, etc, which are listed 
herein, and various other facts (enumerated) to ensure reliable 
distribution of the key fact."

That has to be written.  And agreed.  And promulgated.  It has to be 
taught and trained and tested...  Have a look at the CAP form for 
CAcert, its contents are controlled by a policy.


> The trust that lies in the grid is founded on the risk that a publicly
> stated
> first-hand knowledge by a node turns out to be false. That would harm
> the online
> reputation of the individual that is running the node, as there are
> always at least
> four more independent TL-statements from other people for each such
> information.


This is worthless.  Reputation systems never work, because any mistakes 
made are easily dismissed -- "I made a mistake, let me fix that..."  And 
any nefarious attacker knows how to mix mistakes and innocence with 
dirty deeds.  Remember, the attacker is thinking completely different 
assumptions to you, and they are expert in their job.


>    "The main purpose of the initiative is risk reduction.
>     Unlike normal signatures on keys trust link statements have
>     semantics they state facts that make it risky to cheat
>     both for the nodes and for the local individual.
>     The reliability depends on the consistency of the system,

Hence the need for globally agreed documentation :)

>     that some fact is independently confirmed by others whose
>     keys can be verified in a similar way, relying on other keys
>     which in turn have a number of independent verifications." (Jan 2001)



In terms of risk, you have to ask yourself what happens when something 
goes wrong?  You don't have much of an answer for this, other than 
'reputation' which is a sort of hand-wavy new-age 1990s thing that never 
worked out.

If something goes wrong with a CA-issued certificate, you are SOL.  This 
is as it is writ.  So the CA system survives because the statement is 
pretty clear, albeit buried and we agree as insiders not to market it.

For CAcert, if something goes wrong, the Arbitrator can issue a ruling 
that is backed by the courts of most countries, and can issue monetary 
damages up to 1000 EUR as well as other 'remedies' .

Both of these systems give a defined value for damages, which allows an 
individual to calculate how much weight the system can support.  A 
CA-issued cert:  zero.  A CAcert-issued cert is 1000.

If you want the system to be robust, and have a risk equation, ask those 
questions:

      What happens when something goes wrong?

      How much money can I lean on this system?


Apologies for rushed reply.

iang

More information about the cryptography mailing list