[Cryptography] OpenPGP and trust

Bear bear at sonic.net
Tue Apr 8 16:21:48 EDT 2014 

On Sun, 2014-04-06 at 20:59 +1200, Peter Gutmann wrote:
> Ralf Senderek <crypto at senderek.ie> writes:
> 
> >You can easily solve this problem by obtaining a certificate that verifies in
> >almost all browsers for a few bucks per year, 
> 
> And the neat thing is that any bad guy can buy a cert from the same CA you
> bought your one from (or any other commercial CA of their choice), set up a
> dummy server, and all your friends will connect thinking it's the real thing.
> The false sense of security created by the cert will make things much easier
> for them.

For a while now I've been considering 'continuity' as an (adhoc)
approach to security.  It could be a supplement to the web-of-trust
or a supplement to X.509, or even something that provides a certain
level of trust on its own for particular purposes.

In a continuity-based system, you'd be associating each key with 
an entity.  An entity presenting a different key/cert, without some 
continuity measure such as new-key-signed-by-old plus revocation
of old key, should not be assumed to be the same entity regardless
of what they or their cert claims.

And revocation of old key is a very important part of it, because 
with revocation you get a situation where an impersonator is forced 
to either use a key that the impersonated person can decrypt (leaving
possible evidence) or break the impersonated person's key (leaving
possible evidence). 

Anyway this is the sort of thing that approach would address.  You 
have bought a cert for your site, some other guy has bought a 
cert for his site, and when people log on, they get a cert - but 
not the one they've been getting up to that moment. This is a 
continuity violation, and absolutely nothing that their software
knows is associated with your site should be working for or with
this other site which has a different key.  

My vision of UI for this would be that each site should come up 
next to (or under, or over) a banner that lists previous interactions
with that site, and that a completely new previously-unseen cert, 
regardless of who it's signed by or what it says, should come up 
with a banner that says, 

"YOU HAVE NEVER ACCESSED THIS SITE BEFORE TODAY - NEW KEY HAS NO
PREVIOUS HISTORY." 

Obviously if the user "knows otherwise" there's something wrong.  
If it's important, and there's no continuity, then the user should 
be making a phone call and getting his bank to verify that yes, it 
did in fact change its key since last time he connected.  The bank 
doesn't want the hassle of answering phone calls?  Then it should 
do the continuity dance, sign the new cert with the old one, and 
revoke.

More information about the cryptography mailing list