IETF Logo Mail Archive

Re: [openpgp] Modelling an abuse-resistant OpenPGP keyserver

Micah Lee <micah.lee@theintercept.com> Mon, 08 April 2019 17:06 UTC

Return-Path: <micah.lee@theintercept.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00E0612002F for <openpgp@ietfa.amsl.com>; Mon, 8 Apr 2019 10:06:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=theintercept.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CAMrEhNKiJoh for <openpgp@ietfa.amsl.com>; Mon, 8 Apr 2019 10:06:41 -0700 (PDT)
Received: from mail.newconews.org (central-mail01.newconews.org [8.25.220.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7740E1200FA for <openpgp@ietf.org>; Mon, 8 Apr 2019 10:06:41 -0700 (PDT)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.newconews.org (Postfix) with ESMTP id A515A409274 for <openpgp@ietf.org>; Mon, 8 Apr 2019 17:06:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=theintercept.com; s=ticom20140908; t=1554743200; bh=lLxelfNbi4fIW5FNrghPwqzwivbMeV1TqzFT2mz6XdU=; h=Subject:To:References:From:Date:In-Reply-To; b=GJxRdUoqWYsovs4ogDk3g3fOVTXw3VdxF3L2ECbKLzVZWhHIF5mayOz7LNs/LuWp2 8Zl3DyrOUFrrwfDFmjq/Y5q45SY2ExDRVMJ/UBMk97j86jlmlihI2y3R0PNEYYDdvt oHS8J8t/mANnCuvQrTEmvCh1FJl53qPY/2LXPyEA=
Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.newconews.org (Postfix) with ESMTPSA id 67CB7409273 for <openpgp@ietf.org>; Mon, 8 Apr 2019 17:06:40 +0000 (UTC)
To: openpgp@ietf.org
References: <87v9zt2y2d.fsf@fifthhorseman.net> <8736mu350z.fsf@fifthhorseman.net>
From: Micah Lee <micah.lee@theintercept.com>
Openpgp: preference=signencrypt
Message-ID: <2885d227-9dc4-c393-d259-fcbfd52a5c71@theintercept.com>
Date: Mon, 08 Apr 2019 10:06:36 -0700
MIME-Version: 1.0
In-Reply-To: <8736mu350z.fsf@fifthhorseman.net>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="gktkq8N0okL20Pm5HbVMx4lMV1hqESHjR"
X-Virus-Scanned: ClamAV using ClamSMTP
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/nm6wGmk7yOs24xSX-IM-xFUV8Mo>
Subject: Re: [openpgp] Modelling an abuse-resistant OpenPGP keyserver
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2019 17:06:44 -0000

On 4/6/19 7:47 PM, Daniel Kahn Gillmor wrote:
> On Thu 2019-04-04 18:41:14 -0400, Daniel Kahn Gillmor wrote:
>> I've documented some thoughts on how to resist this abuse in a new
>> Internet Draft:
>>
>>    https://datatracker.ietf.org/doc/draft-dkg-openpgp-abuse-resistant-keystore/

Hey dkg, thank you for putting in the work to write this draft. It's
very necessary, and I think you lay out the problems and mitigations
well. Here is some feedback.

In section 2.2, the draft says: "If the keystore does not offer a
discovery interface at all (that is, if clients cannot search it by user
ID), then user ID flooding is of less consequence."

I completely agree with the (unfortunate) sentiment that searching by
user ID is not appropriate for key discovery, because user ID flooding
is trivial. However supporting some advanced querying of data in the
keystore, including by user ID, may be useful for non-key discovery
reasons, like to determine if someone else is impersonating your
certificate.

I also think it's worth adding a mitigation that specifically deals with
this SKS Keyserver bug [1], probably in section 3. There is never a
legitimate reason for a certificate to contain a user ID packet with a
signature that doesn't verify, or with a signature that verifies using
any key other than the certificate's primary key. If such user ID and
signature packet pairs are found, they should always be rejected.

The same (I believe) is true for revocations, except in the case where
there's a "designated revoker" (I have never used this feature of
OpenPGP, so I could be wrong here). Any revocation and sig packets,
where either the sig doesn't verify, or verifies but isn't signed by
either the primary key or the designated revoker key, should also always
be rejected. Otherwise, people can abuse the keystore by fake-revoking
other people's keys (which SKS is currently vulnerable to).

I also think that it might be reasonable to add a section about user
interfaces, specifically to avoid the issue that this SKS Keyserver pull
request [2] tries to fix. (This PR was approved in June 2018 but has not
been merged, and no releases have been made since then; the project
appears to be abandoned.)

At the moment, SKS keyserver provides a web interface that the public
often uses for key discovery, as well as to link directly to their PGP
certificates (for example, journalists provide these links in their
Twitter bios). But this interface shows users provably-malicious data
(like user IDs and revocations with signatures that don't verify).

If an abuse-resistent keystore wishes to provide a UI at all, as opposed
to just an API, then the UI should focus on protecting users from abuse,
and make it clear that certificates don't necessarily belong to the
people or email addresses in the User ID packets, and, if the keystore
doesn't reject malicious user IDs and revocation certificates, make it
clear that all of the information displayed about the key might be
inaccurate as displayed through that UI. But, perhaps a better option is
that the keystores should not provide a UI at all, and instead only
provide an API.

Also, as others have pointed out in this thread, I think that hosting a
keystore using modern distributed blockchain technology is a good idea,
and one of the few genuinely useful uses of blockchain technology.
Storing data in a blockchain is also much more reliable than keyservers
that periodically sync with some set of other keyservers, because every
keystore will have an exact copy of all data, rather than various
keystores having various different states of the data.

Section 5 is dedicated to "non-append-only mitigations", which wouldn't
work with a blockchain. However I think that all of these mitigations
could be applied at _query time_, which would allow the keystore itself
to be append-only, but still provide users with the same resistance
against abuse as if this data was dropped at write time.

Finally, I found a few typos saying "certiifcate" instead of "certificate".


[1]
https://bitbucket.org/skskeyserver/sks-keyserver/issues/41/web-app-displays-uids-on-keys-that-have
[2]
https://bitbucket.org/skskeyserver/sks-keyserver/pull-requests/59/add-disclaimer-to-html-template-educating/diff

v2.23.0 | Report a Bug | By Email