[Cryptography] ToFU +- SaFU

John Denker jsd at av8n.com
Tue Apr 14 16:12:32 EDT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

By way of background:  There is a distinction between
  *) ToFU == Trust on First Use
  *) SaFU == Same as First Use

... among many other important distinctions to be made.
I mention this because on 04/13/2015 12:35 PM, Christoph 
Anton Mitterer wrote:

> b) X.509, and similar schemes, where trust in another one's identity is
>    not directly authenticated, but rather one trusts one (or hundreds)
>    of central points (the CAs) to do the right thing.

OK.  That's the ridiculous system we are stuck with at
the moment.

> a) OpenPGP and similar schemes, where peers are typically more or less
>    directly authenticated (e.g. by personal meeting and fingerprint
>    exchange)

That's not a fully accurate description of PGP.  PGP is often
nothing more than SaFU.  That is:  I have a lot of PGP keys 
for people who aren't entirely trustworthy.  All the PGP 
signature tells me is that it is the /same/ sketchy character 
as last time.

>    This btw. also includes things like SSH, at least when one
>    directly/securely exchanges SSH keys.

SSH ought to be in its own category.  I reckon it is mostly
used in ToFU or SaFU mode ... but it can be configured to
respect authorities also.

=========

* More importantly, these schemes are not mutually exclusive.
* A combination of authority plus pinning is incomparably
* more secure than either one separately.

=========

>    This PKIs put the whole control under the user.

That's an important point.

To expand upon that point:  There are crucial distinctions
between identification, authorization, recognition, and trust.
Recognition comes before trust.  If I can recognize the guy 
reliably and repeatedly, then over time I might develop 
"some" level of trust.

It must also be emphasized that "trust" is not a Manichaean
black-or-white proposition.  It's not even one-dimensional.
I might trust somebody with $10 but not $10,000.  I might 
trust somebody's judgment in one area but not another.

  Maybe in a small village identification+authentication
  could result in a measure of trust, insofar as if the
  guy did something nasty you could find him and punish
  him.  In contrast:  On the internet, identification+
  authentication is almost completely decoupled from trust.

The semantics of signing a /key/ seems IMHO undefined and 
undefinable.  In the real world we have ways of specifying
what a signature means.  A contract spells out in detail
what its signatures mean.  A signature on the front of a 
check means one thing, while a signature on the back means 
something else.  A signature on a candidate's nominating 
petition means something else yet again.

It makes sense to PGP-sign a contract (or an email) ...
but signing a "key" is highly problematic, because there
is so little control over the semantics.

It cracks me up when people complain about "identity theft".
There is no such thing as ID theft;  there is only FRAP:
Failure of Ridiculous Authorization Protocols.

    Ford:   I know who you are.
    Spike:  Yeah, I know who I am, too. So what?

                    http://www.buffyology.com/transcripts/019-2-07-lietome.html

Knowing how to identify me (in the sense of being able to 
pick me out of a crowd) does not mean you "are" me, and it 
absolutely doesn't mean I authorized such-and-such financial 
transaction.  A authorization protocol that relies on 
individual traits and not-very-private factoids (such as
SSN) is just ridiculous.

>  OpenPGP and similar schemes, where peers are typically more or less
>    directly authenticated (e.g. by personal meeting and fingerprint
>    exchange)

Person-to-person fingerprint exchange is almost irrelevant
to me.  There are lots of people I trust /with certain things/
based on reputation and/or longstanding collaboration.  In
some cases I have met these guys in person ... and in other
cases not.  In any case, meeting the guy has got virtually
nothing to do with my decisions about trust.

Looking at the guy's driver's license is even less relevant.
OK, so the guy has a license that says John Smith.  Is that
John Smith the cryptographer, John Smith the pornographer,
John Smith the spy with a high-quality fake license, or
what?  And why should I trust that guy more than John Smith
the sock puppet or John Smith the dog?
   http://upload.wikimedia.org/wikipedia/en/thumb/f/f8/Internet_dog.jpg/220px-Internet_dog.jpg
Seriously, I would be more inclined to trust a sock puppet
with no license and a good reputation than an in-person
person with a license and no reputation.

===========

I don't pretend to be an expert on such things, but it's
obvious even to me that we need to take a step back and
get a better handle on what we are trying to do.  Too often,
crucial distinctions are getting trampled on.

At the very least, we need a layered approach:

  *) At some level, we need a secure channel, resistant
   to tampering and to eavesdropping.

  *) Given such a channel, we can carry out identification,
   authentication and (more importantly) recognition.

  *) Given recognition, we can over time develop various
   degrees and various kinds of trust.

Also:  We need to stop signing "keys" and instead sign
things where the semantics is clearly specified.
  At this point the question arises, how do you get a 
  computer to check the semantics.  I have no idea how 
  to do that in the general case, but I'm not sure it 
  matters, so long as "somebody" can look at it and 
  understand the semantics.

  Common special cases can be handled.  For example, 
  there are big companies that will sell you a 
  paperless-office system whereby you can sign a 
  travel voucher and your department head can
  counter-sign it.  The semantics is reasonably
  clear.

My PGP signature on this email indicates that I sent it, 
and that it represents a snapshot of my opinions.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVS10sPO9SFghczXtAQJwdw/9ElvwFLE5HzJXoLL2v/UGUN79K9twcBNx
VZuI6ZJ8KXH+przfT4JqDI+nddkMEeMIbpOwqMWCzrjMneP8wZRvMLoPNhuW8DGT
zSEo3JOtZdLuCnAyZFhXw/OCkmxHbcgP3nt+pS2xVXNfHFwS06QXEBwAORwIkBH8
nuxutM+e4kOfLJbk/IOClo+Ga19y1E44rHQV/KpD39/0tLVOs0/Nbscu+CGoWx0T
tvMdIDOTA8fk1hTW5B0n7K6ZZmd0atbUWq3pheVhC+CqtbAReiqJCQ7FxINP4+Fh
nIZWuqIQW7BuR+V24sKx7kP8hzG6avszIerCSD4PI8sWxhqoe0sOBKYJijZGEnBQ
zk09yVEGY9DUpjyyI5BSRjMK0FTbYLyxXGq3dLq6/liciR1JdobaKLwPpbn+DuRd
XzLzBAAYfTqqT7zxy/2rxZ6AtnHgWHOkTMK0XwZRDI273/ew+wNAOP9FuvvOt8Gf
tHHLfYxZj/VjbnL9fBYla+P/fa1w0pk68FnjDzL3cI1Xz7e/5nX6b2wZwbSxOE/5
iyQXP5WgvsFrweBmHV0lHoxPdwIPzgScX+eSgFi8DMUVaHE4Lfwntdg4l+btcWPt
wCQcRLVqumuEhOtI+5a4H2iMxzrfdLAAeD8zWQad4lSwXsxnsLhHm5L/rWPorDe5
qc1SWdfXEe8=
=lrhc
-----END PGP SIGNATURE-----


More information about the cryptography mailing list