Re: [openpgp] Modelling an abuse-resistant OpenPGP keyserver
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 07 April 2019 02:47 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1D1A1203BA for <openpgp@ietfa.amsl.com>; Sat, 6 Apr 2019 19:47:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=v36aMXcD; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=rFqN2/cc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YWY-uTt9ghYa for <openpgp@ietfa.amsl.com>; Sat, 6 Apr 2019 19:47:46 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F7A11202D3 for <openpgp@ietf.org>; Sat, 6 Apr 2019 19:47:46 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1554605264; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=nWvqsgzIIW28jr75O2igH2XAT2UMk0mU5efqNe+W0o4=; b=v36aMXcDI+S9nP+HNRskDoJJ6uV2oiI/p1cYmM6RvnkZgCIomwjHAkpk aWmlmkywAIjRcpATzfbHpJac7MzGDw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1554605264; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=nWvqsgzIIW28jr75O2igH2XAT2UMk0mU5efqNe+W0o4=; b=rFqN2/ccQlIVrHTVLDxphnfcfpuAGphF9UVAyL2Zy9pY+SFWTZmD3d6A H6N12Fu65iiWwivbl6to+jvmxAbDtn/8LeRGswX20Z195oLJKdCfxRrzoH naIHMFirHQZAPRrWc/VJtM1vkWYVxQBVpBFUPfmeeosRNQisA8epk/OPRD Vfa0/3KzkycJNW9mhJNw2WQHjZJUkSNjdNzLHQa9nj8QQXGFz84paQT8tJ LnRTG4x1590MfS1jzBC6VrsBfRmohJCiK3MWZccSumsTZ+25WhEvzjYqtN s5eUuy6DzAQM6Z35xdDa9HAlGipYLBdO8t4qUC0ZnSSYgyPV2hwbiA==
Received: from fifthhorseman.net (ool-6c3a0662.static.optonline.net [108.58.6.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id C2B16F99E for <openpgp@ietf.org>; Sat, 6 Apr 2019 22:47:44 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 885B52065D; Sat, 6 Apr 2019 22:47:41 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
In-Reply-To: <87v9zt2y2d.fsf@fifthhorseman.net>
References: <87v9zt2y2d.fsf@fifthhorseman.net>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw==
Date: Sat, 06 Apr 2019 22:47:40 -0400
Message-ID: <8736mu350z.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/gB761GUwQb3dFv-ZRUk7Sn0JRGg>
Subject: Re: [openpgp] Modelling an abuse-resistant OpenPGP keyserver
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Apr 2019 02:47:52 -0000
On Thu 2019-04-04 18:41:14 -0400, Daniel Kahn Gillmor wrote: > I've documented some thoughts on how to resist this abuse in a new > Internet Draft: > > https://datatracker.ietf.org/doc/draft-dkg-openpgp-abuse-resistant-keystore/ Thanks to all for the discussion around this draft. I've tried to incorporate some of the feedback i've gotten, and added more mitigations and considerations, producing version -01. Substantive changes between -00 and -01: * split out Contextual and Non-Append-Only mitigations * documented several other mitigations, including: - Decline Data From the Future - Blocklist - Exterior Process - Designated Authorities - Known Certificates - Rate-Limiting - Scoped User IDs * documented Updates-Only Keystores * consider three different kinds of flooding * deeper discussion of privacy considerations * better documentation of Reason for Revocation * document user ID conventions The source for draft -01 is attached to this message, and remains available for merge requests and open issues at: https://gitlab.com/dkg/draft-openpgp-abuse-resistant-keystore The most unsettling evolution of my own thinking on this has to do with clarifying the inherent tension between accepting unrestricted public certificate uploads and permitting useful certificate discovery (by user ID). (see the final paragraph of the security considerations section) In a world where the public contains people with malice (our world), i think we can't have both of those features due to user ID flooding. This has unfortunate implications for use cases that depend on public keyservers for both certificate discovery and unrestricted upload. This isn't a particularly novel or surprising insight, but it's definitely sad, since that was a nice set of features offered by the keyserver network, but i don't see how it can possibly be sustained in the face of deliberate attack. The implication is, i think, that we need to think differently about certificate discovery in most cases. In particular, i'm thinking that we really do need to expect in-band certificate discovery where possible, falling back to reliance on a deliberately curated keystore (which means being vulnerable to the curators). We'd then mainly to rely on public keystores for certificate update (and not for discovery). Finally, i'd like to call people's attention to § 9.3 ("Assessing Certificates in the Past") -- this suggests that either our keystores need to be append-only (which is sad because of the risk of growth without bound) or we need to acknowledge that they can only reliably be used for online verification. Again, in-band certificate mitigation might help with this (i.e., distributing some form of certificate alongside the signature that needs verification, which can then be merged with any updated information from public keystores). --dkg
- [openpgp] Modelling an abuse-resistant OpenPGP ke… Daniel Kahn Gillmor
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Peter Gutmann
- Re: [openpgp] [Sks-devel] Modelling an abuse-resi… Kiss Gabor (Bitman)
- Re: [openpgp] [Sks-devel] Modelling an abuse-resi… Wiktor Kwapisiewicz
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Jonathan McDowell
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Daniel Kahn Gillmor
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Micah Lee
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Phil Pennock
- Re: [openpgp] Modelling an abuse-resistant OpenPG… ilf
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Daniel Kahn Gillmor
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Daniel Kahn Gillmor
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Daniel Kahn Gillmor
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Daniel Kahn Gillmor
- Re: [openpgp] Modelling an abuse-resistant OpenPG… ilf
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Daniel Kahn Gillmor
- Re: [openpgp] Modelling an abuse-resistant OpenPG… ilf
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Daniel Kahn Gillmor
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Daniel Kahn Gillmor