[guardian-dev] pgp key server on gaurdianproject.info

Tim Prepscius timprepscius at gmail.com
Mon Sep 16 17:41:53 EDT 2013


Yah, I guess I'll do the "here are the keys for xxx at xxx you pick the
one you think is correct."

The DNS issue is very real.  I had a conversation once with a techy in
Vietnam (years ago, perhaps things have changed) who said that DNS
entries were hacked weekly for popular sites.

It just seems to me that this threat could be mitigated if everyone
was checking their keys and their friends keys on an ongoing basis.



But HC's response was pretty definite, and if gaurdianproject.info is
unwilling to setup some server, then 99.999% of mail servers will be
unwilling, and so the idea is moot.

-tim

On 9/16/13, Kevin Steen <mayfirstorg at kevinsteen.net> wrote:
> Your suggestion basically moves the responsibility for key
> authentication away from the end-user and onto an unknown third party.
> Since governments and rich companies (RIAA/MPAA) can take over domain
> names at will, trusting a server found via DNS to authenticate keys
> isn't a good solution.
>
> Domains, email addresses and PGP keys have only a temporary association
> with a human being and if you eliminate the key selection step you don't
> provide the user with the security they think they're getting. As the
> saying goes : 'Make things as simple as possible, but no simpler.'
>
> Auto-lookup with trust-on-first-use and a big, flashing, red sign that
> says 'THIS MAY NOT BE THE REAL JANE SMITH' might be the simplest
> interface which preserves the desired security.
>
> -Kevin
>
> On 16/09/13 21:37, Tim Prepscius wrote:
>> So, I've been integrating pgp into my mailiverse project.
>>
>> I have a question for you all concerning whether you would be willing
>> to run a pgp keyserver, but a different one from the standard.  I'm
>> asking you because, if you were *unwilling*, or saw no need, you a
>> probably a good indicator of other's reaction.
>>
>>
>> So here's the situation:
>>
>> I can't look up people's keys.  It is impossible, with the current
>> state of the pgp key servers to know whether or not the key that is
>> published for you, is actually yours.  You might think, "well, you
>> can't ever really know."  But I mean something entirely different...
>> on a different scale.
>>
>>
>>
>> So for instance:
>>
>> nathan at gaur.. has a pgp key:
>>
>> http://pgp.mit.edu:11371/pks/lookup?search=nathan%40guardianproject.info&op=index
>>
>> But I could easily create a new key for Nathan and upload it to the
>> keyserver.
>> Then when people look up nathan at gaur.... *my* bad key would be the first
>> key.
>>
>> Also, I see that nathan's key is 4096 bits which is nice.  If he had a
>> 1024 bit key, I have read that there is technology out there to forge
>> a key for nathan which has the *same* keyID.
>> Which is a problem.
>>
>>
>> While a human can take extra steps to reasonably ascertain which key
>> is Nathan's, perhaps even calling him up, or talking to him on a
>> newsgroup such as this, or seeing who trusts his key, there does not
>> *seem* to be a machine solution to this problem. (or I do not see one)
>>
>>
>>
>> A possible remedy:
>>
>> Would the gaurdianproject be willing to run a key server which can be
>> queried for "*@gaurdianproject.info" but no others?
>>
>> It would only return results for Nathan which are manually set by Nathan.
>>
>> Nathan could periodically check that what the server is returning is
>> in fact his key.
>> Perhaps this server could be run at pgp.gaurdianproject...
>>
>>
>> The server itself, would be incredibly dumb, simple.
>> Probably just a static file server.
>>
>> it could be queried like:
>> https://pgp.gaurdianproject.info:11372/nathan@gau...
>>
>> It could use non 8080 and 80, some other port, for instance 11372, so
>> it could be run on the same machine as some other web server.  It
>> could use node, so no java massive heap overhead, and for the most
>> part it would consume almost no resources.
>>
>>
>>
>> Why:
>>
>> I need some reliable way to look up a pgp key.  Asking users to skype
>> someone and verify a key is not an option.  Asking users to install
>> software is not an option.  I want everyone to have pgp keys.
>>
>> I've started a discussion at the gpg newsgroup, however (well I
>> haven't gotten the digest for today yet), it seems to have veered off
>> into theoreticals which I am not interested in.  I need a solution
>> which works now, and not some time in the future.  And preferably a
>> solution which is so simple anyone can implement it if they chose to.
>>
>>
>> Possible other benefits:
>>
>> My mail server/client will keep track of changes in keys.  If Nathan's
>> key changes, *everyone* who corresponds with him, will be notified
>> this has happened, and have the choice of sending a "did you know your
>> key changed" email using the old key, or plain-text or whatever.
>>
>>
>> The keyserver which you run could also check with each request that
>> the first key in the global server (for instance http://pgp.mit.edu)
>> for you is still yours, and possibly notify you some way if it
>> changes, if for instance I forge a key for you and upload it.
>>
>>
>>
>> Let me know your thoughts,
>>
>> -tim
>
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit:
> https://lists.mayfirst.org/mailman/options/guardian-dev/timprepscius%40gmail.com
>
> You are subscribed as: timprepscius at gmail.com
>


More information about the Guardian-dev mailing list