Fw: A different way to do key signing parties.

Gary E. Miller gem at rellim.com
Tue Apr 2 00:37:05 UTC 2019 

Yo Hal!

This just on the ietf mailing list.  

TL;DR: CA's are not enough, you also need a Web Of Trust.

I'm not gonna go as far as suggesting a WOT for the NTS certs, but
NTPD is kinda sorta already there with the cluster algorithm.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin


Begin forwarded message:

Date: Tue, 2 Apr 2019 00:40:49 +0100
From: Phillip Hallam-Baker <hallam at gmail.com>
To: IETF Discussion Mailing List <ietf at ietf.org>
Subject: A different way to do key signing parties.


One of the challenges I have set for myself with the Mesh is to get as
much security as possible with zero user effort or less. Users won’t
make any effort for security, the sooner we realize this and decide to
live with it, the sooner we can start delivering useful security.

I believe that CAs do have a role in supporting end-to-end email
security, just not the one that they are assigned in the S/MIME
ecosystem. WebPKI CAs deliver a useful and important function in
authenticating organizations. Applying that model to individuals
doesn’t work.

The PGP Web of Trust model doesn’t really work either. Not at Internet
scale with four billion users. The Moore bound and the Sybyl attack
cause trust to decay rapidly over distance.


So why am I suggesting key signing parties? And why post this to the
IETF list rather than a security list? 


It turns out that if you combine the Web of Trust model with the CA
model, you can achieve higher trust metrics than in either model on its
own. Particularly if you have an append only log involved that allows
you to notarize and timestamp the trust assertions from time to time.

I won’t go into the details of that model here, I have a draft with the
details for those interested.


At one time, the IETF used to hold PGP key signing parties. Well here
is the first problem, OpenPGP is only one app. We really need to secure
SSH as well, that is the technology used to access GIT repos. We should
probably take rather more care than we do with confidentiality of
communications between IETF participants than we do, but integrity
attacks almost always dominate.

So let us imagine that we are all root of our own personal PKI and this
allows us to sign keys for all the applications on all the devices that
we need to use to be secure. That is the purpose of the Mathematical
Mesh.


Now imagine that this personal PKI is designed so that my personal root
key need never expire. Or at least not until I do. So now let's take a
fingerprint of that key. And let's imagine that I provide that
fingerprint to the IETF during registration ‘somehow’ (add encryption
to taste).

So at this point, I am attending a conference at non-trivial expense
(typically $2,500) at which I am well known to most people and will be
registering by presenting ID. Surely there is some way we can leverage
that to gain a useful endorsement of my key fingerprint for at least
IETF purposes. Not least when for IETF purposes, it is the identity
that you know me as for IETF purposes that matters, not any of the
other identities I might have held over an eventful life.


The simplest approach would be to simply enroll the fingerprint and the
credentials I presented in an append only hash chain but that does not
get us to binding of identity.

We could use the fact I am carrying a device (phone) connected to my
Mesh profile and potentially running an app that can present and/or
scan QR codes to create a stronger binding and possibly streamline
registration.


I will elide the cryptography, but assume I am using plenty. The user
experience I am looking at right now would have the conference present
a QR code on a screen that changes every 30 seconds or so or each time
it is scanned. That presents a domain name and a cryptographic
challenge. When scanned using the app, the challenge is put through a
one way function to obtain the locator for a document giving the rest
of the information needed to complete the registration. 

So now my app is saying ‘do you want to pick up your IETF badge’ or
whatever and I click yes and that causes the app to post my Mesh
fingerprint to a URI indicated in the document and that causes the desk
to get a note to look for phill’s badge and also tells my conference
scheduling app to load the IETF material. [Quite possibly customized to
include my Directorate etc. private events]

So then I may or may not present government ID to pick up my badge
(depending on conference policy). But this could at least in practice
be captured as part of the same process (or not). And then of course we
throw the resulting assertion in a blockchain (or whatever we decide to
call them after the BitCoin crash).



Now imagine we have been doing this sort of thing for five years. At
this point, we have a pretty solid binding of identity. It is not
perfect but it has a very very high work factor and if the attacker
hasn’t planned the attack in advance, they kinda need a time machine.

It is possible that it is worth while IETF doing this for our own
consumption but of course the real point is to establish a model that
can be applied at all sorts of conferences and in universities and
eventually in high schools and churches, etc.



To be clear, this approach addresses one particular set of validation
concerns but does not serve every purpose. If Alice is a government
official and I am emailing her in that capacity, what is important to
me is that I am interacting with a duly authorized government official,
not ‘Alice’. And once you get into strong identity assertions you start
to find pretty quickly that you need pseudonymity modes, even for
government officials, or maybe especially. Yes, I got that one too but
like I said, I am eliding the crypto because that isn’t the important
part, if we can specify the requirements, the crypto is merely a math
problem.




RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190401/bd43d9b5/attachment-0001.bin>

More information about the devel mailing list