[Cryptography] OpenPGP and trust

Stuart Longland stuartl at longlandclan.yi.org
Sun Apr 6 17:27:00 EDT 2014 

On Sat, 05 Apr 2014 22:42:44 +0200, Ralf Senderek wrote:

> On Sat, 5 Apr 2014 Stuart Longland wrote:
> 
>> In fact, I set up an OwnCloud instance for this group, and issued
>> passwords to the group by email.  The service optionally accepts
>> connections via TLS, and I encourage its use, but also allow clear-text
>> as it uses a self-signed certificate and some of the users aren't
>> terribly technical.
> 
> You can easily solve this problem by obtaining a certificate that
> verifies in almost all browsers for a few bucks per year, don't consider
> to use a self-signed cert and as a consequence open up unencrypted
> connections to your OwnCloud server. Instead you should configure your
> internet access as HTTPS only !

Well, it's a wonderful cure, but now I'm looking for a disease.  TLS is 
overkill on this site: it's not a banking/finance site, and there's very 
little that's truly confidential.

It's got some contact details for some of our members: that's about as 
confidential as it gets.  Not much of a target for crims to impersonate.  
My main reasoning for allowing HTTPS there is just for supplying 
passwords -- and that's mainly in the absence of something more 
appropriate.

I'm not sure it's worth spending dollars on CA certificates and all the 
red tape that involves, especially since the passwords were given out 
over clear-text email anyway.  I understand there's quite a bit of red 
tape in acquiring a CA certificate as they've got to check your identity 
before issuing it.  (And if there isn't, then it's even easier for the 
crims to impersonate you.)

I provide the option for https logins, and tend to direct people to use 
clear-text only if their machine is particularly strict on self-signed 
CAs.  I suppose I should provide a link to the CA certificate I'm using 
so they can load that into their browsers.  I feel this is a "good 
enough" compromise in our situation.

The authentication scheme I'm looking to use for packet can equally work 
on HTTP: somewhere where TLS with strong crypto is more or less 
forbidden.  If I can solve the authentication over packet radio problem, 
I've solved the revealing passwords over clear-text HTTP as well.

>> I could have the users supply the password they use to log into
>> OwnCloud over packet radio, but then they've just given away their
>> log-in credentials over a clear-text link.
> 
> No. This may be as bad as using HTTP for logins.
> 
> From this point we're talking about user ( not server ) authentication
> and that means signed PGP keys, which are called certificates as well.
> 
>> Suppose I wanted to allow any radio amateur operator to access the BBS.
> 
> This is the wider group.
> 
>> Those who are in my emergency comms group authenticate with digital
>> signatures, and thus get the ability to see and post messages to our
>> group's specific message board, everyone else just sees the public
>> boards.
> 
> In this core group you only have to throw a key signing party once and
> make sure that the call-sign is in the name-part of the key, where the
> email address is located under normal circumstances. You'll only need
> name and call-sign in the key ID.

Is there a way in OpenPGP to encode the call-sign as a separate, 
searchable field?  I think I read up in the spec that you can have a 
photo embedded in a key, and there's scope for it.  I'm just not sure 
what the support is.

At the moment I've created one such key for myself, and for now I'm 
putting my full name and call-sign in the "name" field.  I've also 
considered using a specialised-format address in the "email" field.  i.e. 
me at vk4msl.ham or some such.

(But then ICANN will probably grant the .ham TLD to some meat processing 
company.)

>> I want to be able to prove that the person registering over the
>> Internet is a licensed radio amateur.
> 
>> The thought is that: supposing myself and those around me all set up
>> certificates, we can verify each-others certificates and produce
>> signatures that basically say "I <whoever>, trust that this certificate
>> belongs to <name>". PLUS CALL-SIGN
> 
> You'll do this with your signature under the core group member's PGP
> keys.
> 
>> So supposing with my certificate, indicating me as holding the
>> call-sign VK4MSL, I meet up with another amateur Bob with the call
>> VK4BOB.  We check each-other's details and then sign each-others keys. 
>> I tell the computer running the BBS to trust any key I sign.
> 
> To extend this trust to keys that have been signed by Bob, there's two
> things you have to ensure.
>   a) people like BOB (core group) are bound to check the name/call-sign
>      on every other key they sign with a proof of a valid license.
>   b) your server needs to check the trust chain to allow a login.
> 
> You might restrict the trust chain to two hops as you might not be able
> to ensure that Alice adheres to a) if she signs Carols key.

This is a point.  To this end I was doing a bit of a "6 degrees" type 
experiment.

There's a couple of people I know who I've met at linux.conf.au the two 
times I've attended whom I know to be radio amateurs.  One of them signed 
my PGP key, Karl Goetz.  Some of the others I met, don't have OpenPGP 
keys from what I can tell.

Looking around on the topic of authentication on amateur radio, I come 
across the posts from another prominent radio amateur, Bruce Perens.

So on Saturday night, I tried playing a little experiment: could I figure 
out a chain of trust between our keys.

It turns out I can:
http://pgp.cs.uu.nl/paths/6F8790CA/to/F6599E8D.html

But, I'll need to figure out a way I can do this in an automatic 
fashion.  It appears that I need to ensure I have the intermediate keys 
in order to verify the chain of trust.  The problem, is working out which 
keys are needed.

I spent quite a while downloading random PGP keys until I hit upon a 
path.  To make this automatic, I'll need some way I can distil the web-of-
trust down to some compact form which can be replicated, then when 
someone logs in, it'll be a case of requesting the necessary intermediate 
keys to verify the individual.

There's a tool mentioned on that PGP path finder site: WotApp, which 
would be worth researching.

>> Is it safe to use the presence of someone's trust signature in a key to
>> indicate the person's membership in a group or is this better stored
>> out-of-band?
> 
> The key signatures "certify" the name / call-sign connection nothing
> else.

Ahh, so any "group" membership should be in a separate (signed) file.  
Maybe the whole lot bundled up, compressed and signed by the person 
concerned, making a "certificate" which includes identity and relevant 
group membership information.

The picture about how to go about this is getting clearer. :-)
Many thanks.
Regards,
Stuart Longland

More information about the cryptography mailing list