IETF Logo Mail Archive

Re: [openpgp] Modelling an abuse-resistant OpenPGP keyserver

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 07 April 2019 02:47 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1D1A1203BA for <openpgp@ietfa.amsl.com>; Sat, 6 Apr 2019 19:47:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=v36aMXcD; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=rFqN2/cc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YWY-uTt9ghYa for <openpgp@ietfa.amsl.com>; Sat, 6 Apr 2019 19:47:46 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F7A11202D3 for <openpgp@ietf.org>; Sat, 6 Apr 2019 19:47:46 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1554605264; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=nWvqsgzIIW28jr75O2igH2XAT2UMk0mU5efqNe+W0o4=; b=v36aMXcDI+S9nP+HNRskDoJJ6uV2oiI/p1cYmM6RvnkZgCIomwjHAkpk aWmlmkywAIjRcpATzfbHpJac7MzGDw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1554605264; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=nWvqsgzIIW28jr75O2igH2XAT2UMk0mU5efqNe+W0o4=; b=rFqN2/ccQlIVrHTVLDxphnfcfpuAGphF9UVAyL2Zy9pY+SFWTZmD3d6A H6N12Fu65iiWwivbl6to+jvmxAbDtn/8LeRGswX20Z195oLJKdCfxRrzoH naIHMFirHQZAPRrWc/VJtM1vkWYVxQBVpBFUPfmeeosRNQisA8epk/OPRD Vfa0/3KzkycJNW9mhJNw2WQHjZJUkSNjdNzLHQa9nj8QQXGFz84paQT8tJ LnRTG4x1590MfS1jzBC6VrsBfRmohJCiK3MWZccSumsTZ+25WhEvzjYqtN s5eUuy6DzAQM6Z35xdDa9HAlGipYLBdO8t4qUC0ZnSSYgyPV2hwbiA==
Received: from fifthhorseman.net (ool-6c3a0662.static.optonline.net [108.58.6.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id C2B16F99E for <openpgp@ietf.org>; Sat, 6 Apr 2019 22:47:44 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 885B52065D; Sat, 6 Apr 2019 22:47:41 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
In-Reply-To: <87v9zt2y2d.fsf@fifthhorseman.net>
References: <87v9zt2y2d.fsf@fifthhorseman.net>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw==
Date: Sat, 06 Apr 2019 22:47:40 -0400
Message-ID: <8736mu350z.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/gB761GUwQb3dFv-ZRUk7Sn0JRGg>
Subject: Re: [openpgp] Modelling an abuse-resistant OpenPGP keyserver
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Apr 2019 02:47:52 -0000

On Thu 2019-04-04 18:41:14 -0400, Daniel Kahn Gillmor wrote:
> I've documented some thoughts on how to resist this abuse in a new
> Internet Draft:
>
>    https://datatracker.ietf.org/doc/draft-dkg-openpgp-abuse-resistant-keystore/

Thanks to all for the discussion around this draft.  I've tried to
incorporate some of the feedback i've gotten, and added more mitigations
and considerations, producing version -01.

Substantive changes between -00 and -01:

 * split out Contextual and Non-Append-Only mitigations
 * documented several other mitigations, including:
   - Decline Data From the Future
   - Blocklist
   - Exterior Process
   - Designated Authorities
   - Known Certificates
   - Rate-Limiting
   - Scoped User IDs
 * documented Updates-Only Keystores
 * consider three different kinds of flooding
 * deeper discussion of privacy considerations
 * better documentation of Reason for Revocation
 * document user ID conventions

The source for draft -01 is attached to this message, and remains
available for merge requests and open issues at:

  https://gitlab.com/dkg/draft-openpgp-abuse-resistant-keystore

The most unsettling evolution of my own thinking on this has to do with
clarifying the inherent tension between accepting unrestricted public
certificate uploads and permitting useful certificate discovery (by user
ID). (see the final paragraph of the security considerations section)

In a world where the public contains people with malice (our world), i
think we can't have both of those features due to user ID flooding. This
has unfortunate implications for use cases that depend on public
keyservers for both certificate discovery and unrestricted upload.

This isn't a particularly novel or surprising insight, but it's
definitely sad, since that was a nice set of features offered by the
keyserver network, but i don't see how it can possibly be sustained in
the face of deliberate attack.

The implication is, i think, that we need to think differently about
certificate discovery in most cases.  In particular, i'm thinking that
we really do need to expect in-band certificate discovery where
possible, falling back to reliance on a deliberately curated keystore
(which means being vulnerable to the curators).  We'd then mainly to
rely on public keystores for certificate update (and not for discovery).

Finally, i'd like to call people's attention to § 9.3 ("Assessing
Certificates in the Past") -- this suggests that either our keystores
need to be append-only (which is sad because of the risk of growth
without bound) or we need to acknowledge that they can only reliably be
used for online verification.  Again, in-band certificate mitigation
might help with this (i.e., distributing some form of certificate
alongside the signature that needs verification, which can then be
merged with any updated information from public keystores).

    --dkg

v2.23.0 | Report a Bug | By Email