IETF Logo Mail Archive

Re: [openpgp] public logging of e-mail certificates [was: Re: OpenPGP private certification]

ianG <iang@iang.org> Sat, 11 April 2015 16:14 UTC

Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B6861A1A46 for <openpgp@ietfa.amsl.com>; Sat, 11 Apr 2015 09:14:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.5
X-Spam-Level: ***
X-Spam-Status: No, score=3.5 tagged_above=-999 required=5 tests=[BAYES_99=3.5] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b9IINXKJAF0B for <openpgp@ietfa.amsl.com>; Sat, 11 Apr 2015 09:14:51 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C70411A1A3B for <openpgp@ietf.org>; Sat, 11 Apr 2015 09:14:51 -0700 (PDT)
Received: from tormenta.local (iang.org [209.197.106.187]) by virulha.pair.com (Postfix) with ESMTPSA id 6D01A6D7AA; Sat, 11 Apr 2015 12:14:50 -0400 (EDT)
Message-ID: <55294878.7000900@iang.org>
Date: Sat, 11 Apr 2015 17:14:48 +0100
From: ianG <iang@iang.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: openpgp@ietf.org
References: <CAA7UWsUz65C0GAQo8Yf7ZOeT9BYy+NLV5pbbPg+Ok0-72ca1eA@mail.gmail.com> <1427140788.10191.75.camel@scientia.net> <5510B7CF.8060308@iang.org> <1427168189.10191.241.camel@scientia.net> <5511FE82.6010807@iang.org> <1427243451.10191.375.camel@scientia.net> <5512F137.80702@iang.org> <CAHBU6isgirHnx+gHP+OiHuvhzD+1OTCShCHEkhWcqEmUn9qnzQ@mail.gmail.com> <CAMm+LwiXKf1DvgbHaZoJnKdCVbak-jderv6Z8KDs9xPEbUuYQQ@mail.gmail.com> <1427343948.23692.14.camel@scientia.net> <CAMm+Lwi5bVTujuazTXw7oRty7n5RtsObEfNrJzmbtPiOb-X25g@mail.gmail.com> <m27fu3fsom.fsf@usma1mc-0csx92.kendall.corp.akamai.com> <CAMm+LwjBuZfP4NwRCy23_d9eRtcfUiLKdyZOu+jYT72HfB0g9g@mail.gmail.com> <87vbhlt8tg.fsf@alice.fifthhorseman.net> <CAMm+Lwjo5eyCHNahqWcwUBoaevCw2s3WAeq-2=maW=JEpCFWxA@mail.gmail.com> <87ego3g3v8.fsf@alice.fifthhorseman.net> <CAMm+Lwh3CiHV4L0PJFFnXdjo3prFOY=OZn5yTwW15BXQWU4RFw@mail.gmail.com> <87wq1vemp5.fsf@alice.fifthhorseman.net> <CAMm+LwhkB3cHKe-Y34QbL411qVjdzPhv5e8WFiiRSNmrrD_rGw@mail.gmail.com>
In-Reply-To: <CAMm+LwhkB3cHKe-Y34QbL411qVjdzPhv5e8WFiiRSNmrrD_rGw@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/EWEdRh_WEO8zvY1f82PEiQhjlJE>
Subject: Re: [openpgp] public logging of e-mail certificates [was: Re: OpenPGP private certification]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Apr 2015 16:14:53 -0000

On 1/04/2015 19:56 pm, Phillip Hallam-Baker wrote:
> OK, this is what I am planning to do for PrismProof email.
>
> After trying a number of approaches I have concluded that the best
> approach today is to insist that each keypair have exactly one
> purpose.


Concur.

> So Alice will always have a personal root key and an intermediate key
> signing key and the fingerprint of this PKI is the hash of the keyinfo
> block of the personal root. to do key endorsement she will also need a
> key endorsement key on each device she wants to use for endorsements.
>
> Alice-Personal-Root -> Key Signing Key -> Key Endorsement Key[s]


OK.  (at least, it mirrors what I do.)

> [One reason for the no sharing rule for KEKs is that it makes dealing
> with a stolen phone etc. much easier]

By that you mean, one KEK per device, not the common proxy SSL device 
rule of one cert shared across all.  OK, agreed if so.

However I'm not sure you'll hit the mark on the stolen phone.  Much of 
the world only has a phone, so it also has to deal with the full 
hierarchy.  A more comprehensive solution is needed.  In my work, I 
duplicate the phone's (encrypted) db onto server (cloud) and then try to 
recover that and get her up and going when Alice loses her phone.  But I 
freely admit it is flawed as it is weakening the entire security to the 
level of her password/pin, in some shared or non-shared form, and 
relying on a bunch of assumptions that for anyone but a security geek 
look exceedingly mushy.


> Each cert in this chain would be enrolled in an append-only
> cryptographic log which provides proof that it existed at a particular
> point in time. But none of these certs requires an email address.
>
> For various reasons, we probably want these certs to be enrolled in a
> transparent log that publishes both the block chain and the input
> data. It is not necessary for a log to publish the input values to fix
> them in time however.


You're saying that the KEKs are published in their entirety, but they do 
not include any sensitive information.  Just a signing hash that points 
back up to the cert hierarchy.

So what is your motive for timestamping / proof of existence here - to 
stop people creating sybils?


> When Alice endorses Bob, this is not an operation currently supported
> by PKIX and so the 'no new ASN.1' rule applies. The endorsement is
> probably some sort of JSON structure:
>
> {"name":"Bob",
>   "email":"bob@example.com",
>    fingerprint":"phb:qweflkqwhjdflkjhasdlkjhasdvlkjhlksajvh",
>    "date":"2015-04-01:01:23Z",
>    "blind":"askfasjkldhkjashdvkjhsadkjh"}
> <...Signature data...>
>
> This is of course simply another form of certificate but it is a very
> different type of cert so its best to use a different term.


Yes.  But it in itself is also quite defined.  So, in the above, Alice 
endorses Bob lacks any sense of "for what?"  Do we need a different 
endorsement for each "what" or are we looking for a general endorsement 
and a "what policy" or a "what statement" ?

> Alice is
> not going to commit to managing the endorsement lifecycle.

Agreed.  But she is going to be pissed when it breaks on her.


> The property we want to get from enrolling the endorsement in a log is
> to fix it in time. So we enroll the hash in the log rather than the
> endorsement itself.


So, a log can be used for:  fixing in time, publishing, proof of 
existence without time, proof of revocation, ... possibly other things. 
  Do you have a sense that we know enough about the endorsement to be 
able to tie down those benefits?

Reason I ask is this:  in my work, the endorsements are shared amongst a 
group, but not further.  They are replaceable.  And they are analisable. 
  So they aren't really private but they aren't published.  (They are 
also wrapped up in a legal context.)

My question then comes down to finding the low layer endorsement brick 
that allows me to build my castle of trust.

> The value "blind" is a random value that leaks Alice's RNG to the
> NSA^h^h^h^h^h^h^h^h prevents dictionary attacks.


:)


iang

v2.23.0 | Report a Bug | By Email