IETF Logo Mail Archive

Re: [openpgp] Modelling an abuse-resistant OpenPGP keyserver

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 15 April 2019 17:35 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 725EA1201E6 for <openpgp@ietfa.amsl.com>; Mon, 15 Apr 2019 10:35:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=lBjbIOky; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=BruMn2dD
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r55qLB4Te9X3 for <openpgp@ietfa.amsl.com>; Mon, 15 Apr 2019 10:35:03 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33A69120131 for <openpgp@ietf.org>; Mon, 15 Apr 2019 10:35:03 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1555349701; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=FFbmV6fu5lzzbjUO1Ggb6DXHmz3IlMdU34SMzgH8jZw=; b=lBjbIOkynzMD8rP9liSki8L/Y6PapaEJbkE942geyEcUi/8faIhrawYK r3Cmf+t6pDPjy6O6Z5NxRFcb/w+ACA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1555349701; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=FFbmV6fu5lzzbjUO1Ggb6DXHmz3IlMdU34SMzgH8jZw=; b=BruMn2dD1cmgtaK2GUsXZUNXmi2MP48y61Qmkc9qnWgiAB66Z6fDhi5c G3Iwwi8Resvpk8QPaI8xWLxEuLoVbDevnzLMMYTh2gJFx906PnxvT0fqdm 5k2R10AF7Slt4Heg8cCz/e3QxOsN4mIh0wa5Hd2J+QIiEl3VU0h2793guW vKjAkhqhmmaM+I/KOWGHrEl8o28iMGNpQNGrkQGD6FPAE72WWpcuoePx8r +Jm3/OdVcDooZ6+Yur4Al4oqtsLh1cipeOl0o+Un6foJB3YpkYquIRdSp/ GqI9X6Jm8pa9rD6wpNKxg8r0OsBx2onN1tvU2k1qicgtI3HZJUM8gQ==
Received: from fifthhorseman.net (unknown [38.109.115.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 89AC1F99F; Mon, 15 Apr 2019 13:35:00 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 053652022A; Mon, 15 Apr 2019 13:16:08 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Micah Lee <micah.lee@theintercept.com>, openpgp@ietf.org
In-Reply-To: <2885d227-9dc4-c393-d259-fcbfd52a5c71@theintercept.com>
References: <87v9zt2y2d.fsf@fifthhorseman.net> <8736mu350z.fsf@fifthhorseman.net> <2885d227-9dc4-c393-d259-fcbfd52a5c71@theintercept.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw==
Date: Mon, 15 Apr 2019 13:16:07 -0400
Message-ID: <87a7gr5gvc.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/_eOExzgOGMrSQBP0e7f8II-bi0g>
Subject: Re: [openpgp] Modelling an abuse-resistant OpenPGP keyserver
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2019 17:35:08 -0000

Hi Micah--

Thanks for the thoughtful review and feedback.  sorry it's taken me a
little while to integrate it.  Some thoughts below:

On Mon 2019-04-08 10:06:36 -0700, Micah Lee wrote:
> I completely agree with the (unfortunate) sentiment that searching by
> user ID is not appropriate for key discovery, because user ID flooding
> is trivial. However supporting some advanced querying of data in the
> keystore, including by user ID, may be useful for non-key discovery
> reasons, like to determine if someone else is impersonating your
> certificate.

I'm not sure i understand this concern, so i want to unpack it a bit.
If you've got specific text you'd like me to add after this discussion,
please do suggest it!

First, a bit of pedantry (sorry!): i think the attack that you're
describing is *not* someone impersonating your certificate, but rather
someone impersonating your user ID.  Is that what you're talking about?

I've labeled the abuse-detection action you're describing as "identity
monitoring" in draft -03.

However, if flooding a given user ID makes certificate discovery
impossible, then flooding a given user ID *also* makes "identity
monitoring" impossible.

So, i think what you're describing is an interesting tension -- but one
that presumes some sort of authoritative nature for the keystore in the
first place, in which case perhaps the authoritative element is where
the appropriate filtering comes in, right?

> I also think it's worth adding a mitigation that specifically deals with
> this SKS Keyserver bug [1], probably in section 3.  There is never a
> legitimate reason for a certificate to contain a user ID packet with a
> signature that doesn't verify, or with a signature that verifies using
> any key other than the certificate's primary key. If such user ID and
> signature packet pairs are found, they should always be rejected.

I think you're making an argument that all keystores should do
cryptographic validation.  That has interesting implications, given that
there might be use cases where it's useful to distribute certifications
issued by keys that the keystore doesn't know about.  I welcome textual
suggestions that improve this guidance in the current draft!

> If an abuse-resistent keystore wishes to provide a UI at all, as opposed
> to just an API, then the UI should focus on protecting users from abuse,
> and make it clear that certificates don't necessarily belong to the
> people or email addresses in the User ID packets, and, if the keystore
> doesn't reject malicious user IDs and revocation certificates, make it
> clear that all of the information displayed about the key might be
> inaccurate as displayed through that UI. But, perhaps a better option is
> that the keystores should not provide a UI at all, and instead only
> provide an API.

I agree, the user interface for a keystore (if any exists) needs to make
clear what work it has done to vet the data it offers.  I've added a few
paragraphs about user interface to the draft, and would welcome
clarifications there.

I don't want to make the document particularly elaborate in its
discussion of user interface, because (a) the IETF isn't a particularly
good forum for user interface discussion currently, and (b) many
keystores have radically different UI/UX scenarios, and (c) full user
interface details seem like they might warrant a distinct discussion
that is more implementation-specific anyway.

My current approach is to imply that a keystore has an (abstract)
three-part API of "certificate submission" (new data proposed for
inclusion), "certificate update" (certificate retrieval by fingerprint),
and "certificate discovery" (certificate retrieval by user ID or
substring match).  I touch a bit on other potential API endpoints in the
text.  If you think i'm missing something, please point it out!


> Also, as others have pointed out in this thread, I think that hosting a
> keystore using modern distributed blockchain technology is a good idea,
> and one of the few genuinely useful uses of blockchain technology.
> Storing data in a blockchain is also much more reliable than keyservers
> that periodically sync with some set of other keyservers, because every
> keystore will have an exact copy of all data, rather than various
> keystores having various different states of the data.

I've added a section on global append-only logs ("blockchains") to draft
-03.

> Section 5 is dedicated to "non-append-only mitigations", which wouldn't
> work with a blockchain. However I think that all of these mitigations
> could be applied at _query time_, which would allow the keystore itself
> to be append-only, but still provide users with the same resistance
> against abuse as if this data was dropped at write time.

This is a useful insight, and i've tried to document it in -03 as well.
I welcome text to improve it.

> Finally, I found a few typos saying "certiifcate" instead of "certificate".

thanks, fixed!

        --dkg

v2.23.0 | Report a Bug | By Email