Re: [openpgp] Modelling an abuse-resistant OpenPGP keyserver
Micah Lee <micah.lee@theintercept.com> Mon, 08 April 2019 17:06 UTC
Return-Path: <micah.lee@theintercept.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00E0612002F for <openpgp@ietfa.amsl.com>; Mon, 8 Apr 2019 10:06:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=theintercept.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CAMrEhNKiJoh for <openpgp@ietfa.amsl.com>; Mon, 8 Apr 2019 10:06:41 -0700 (PDT)
Received: from mail.newconews.org (central-mail01.newconews.org [8.25.220.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7740E1200FA for <openpgp@ietf.org>; Mon, 8 Apr 2019 10:06:41 -0700 (PDT)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.newconews.org (Postfix) with ESMTP id A515A409274 for <openpgp@ietf.org>; Mon, 8 Apr 2019 17:06:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=theintercept.com; s=ticom20140908; t=1554743200; bh=lLxelfNbi4fIW5FNrghPwqzwivbMeV1TqzFT2mz6XdU=; h=Subject:To:References:From:Date:In-Reply-To; b=GJxRdUoqWYsovs4ogDk3g3fOVTXw3VdxF3L2ECbKLzVZWhHIF5mayOz7LNs/LuWp2 8Zl3DyrOUFrrwfDFmjq/Y5q45SY2ExDRVMJ/UBMk97j86jlmlihI2y3R0PNEYYDdvt oHS8J8t/mANnCuvQrTEmvCh1FJl53qPY/2LXPyEA=
Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.newconews.org (Postfix) with ESMTPSA id 67CB7409273 for <openpgp@ietf.org>; Mon, 8 Apr 2019 17:06:40 +0000 (UTC)
To: openpgp@ietf.org
References: <87v9zt2y2d.fsf@fifthhorseman.net> <8736mu350z.fsf@fifthhorseman.net>
From: Micah Lee <micah.lee@theintercept.com>
Openpgp: preference=signencrypt
Message-ID: <2885d227-9dc4-c393-d259-fcbfd52a5c71@theintercept.com>
Date: Mon, 08 Apr 2019 10:06:36 -0700
MIME-Version: 1.0
In-Reply-To: <8736mu350z.fsf@fifthhorseman.net>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="gktkq8N0okL20Pm5HbVMx4lMV1hqESHjR"
X-Virus-Scanned: ClamAV using ClamSMTP
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/nm6wGmk7yOs24xSX-IM-xFUV8Mo>
Subject: Re: [openpgp] Modelling an abuse-resistant OpenPGP keyserver
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2019 17:06:44 -0000
On 4/6/19 7:47 PM, Daniel Kahn Gillmor wrote: > On Thu 2019-04-04 18:41:14 -0400, Daniel Kahn Gillmor wrote: >> I've documented some thoughts on how to resist this abuse in a new >> Internet Draft: >> >> https://datatracker.ietf.org/doc/draft-dkg-openpgp-abuse-resistant-keystore/ Hey dkg, thank you for putting in the work to write this draft. It's very necessary, and I think you lay out the problems and mitigations well. Here is some feedback. In section 2.2, the draft says: "If the keystore does not offer a discovery interface at all (that is, if clients cannot search it by user ID), then user ID flooding is of less consequence." I completely agree with the (unfortunate) sentiment that searching by user ID is not appropriate for key discovery, because user ID flooding is trivial. However supporting some advanced querying of data in the keystore, including by user ID, may be useful for non-key discovery reasons, like to determine if someone else is impersonating your certificate. I also think it's worth adding a mitigation that specifically deals with this SKS Keyserver bug [1], probably in section 3. There is never a legitimate reason for a certificate to contain a user ID packet with a signature that doesn't verify, or with a signature that verifies using any key other than the certificate's primary key. If such user ID and signature packet pairs are found, they should always be rejected. The same (I believe) is true for revocations, except in the case where there's a "designated revoker" (I have never used this feature of OpenPGP, so I could be wrong here). Any revocation and sig packets, where either the sig doesn't verify, or verifies but isn't signed by either the primary key or the designated revoker key, should also always be rejected. Otherwise, people can abuse the keystore by fake-revoking other people's keys (which SKS is currently vulnerable to). I also think that it might be reasonable to add a section about user interfaces, specifically to avoid the issue that this SKS Keyserver pull request [2] tries to fix. (This PR was approved in June 2018 but has not been merged, and no releases have been made since then; the project appears to be abandoned.) At the moment, SKS keyserver provides a web interface that the public often uses for key discovery, as well as to link directly to their PGP certificates (for example, journalists provide these links in their Twitter bios). But this interface shows users provably-malicious data (like user IDs and revocations with signatures that don't verify). If an abuse-resistent keystore wishes to provide a UI at all, as opposed to just an API, then the UI should focus on protecting users from abuse, and make it clear that certificates don't necessarily belong to the people or email addresses in the User ID packets, and, if the keystore doesn't reject malicious user IDs and revocation certificates, make it clear that all of the information displayed about the key might be inaccurate as displayed through that UI. But, perhaps a better option is that the keystores should not provide a UI at all, and instead only provide an API. Also, as others have pointed out in this thread, I think that hosting a keystore using modern distributed blockchain technology is a good idea, and one of the few genuinely useful uses of blockchain technology. Storing data in a blockchain is also much more reliable than keyservers that periodically sync with some set of other keyservers, because every keystore will have an exact copy of all data, rather than various keystores having various different states of the data. Section 5 is dedicated to "non-append-only mitigations", which wouldn't work with a blockchain. However I think that all of these mitigations could be applied at _query time_, which would allow the keystore itself to be append-only, but still provide users with the same resistance against abuse as if this data was dropped at write time. Finally, I found a few typos saying "certiifcate" instead of "certificate". [1] https://bitbucket.org/skskeyserver/sks-keyserver/issues/41/web-app-displays-uids-on-keys-that-have [2] https://bitbucket.org/skskeyserver/sks-keyserver/pull-requests/59/add-disclaimer-to-html-template-educating/diff
- [openpgp] Modelling an abuse-resistant OpenPGP ke… Daniel Kahn Gillmor
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Peter Gutmann
- Re: [openpgp] [Sks-devel] Modelling an abuse-resi… Kiss Gabor (Bitman)
- Re: [openpgp] [Sks-devel] Modelling an abuse-resi… Wiktor Kwapisiewicz
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Jonathan McDowell
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Daniel Kahn Gillmor
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Micah Lee
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Phil Pennock
- Re: [openpgp] Modelling an abuse-resistant OpenPG… ilf
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Daniel Kahn Gillmor
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Daniel Kahn Gillmor
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Daniel Kahn Gillmor
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Daniel Kahn Gillmor
- Re: [openpgp] Modelling an abuse-resistant OpenPG… ilf
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Daniel Kahn Gillmor
- Re: [openpgp] Modelling an abuse-resistant OpenPG… ilf
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Daniel Kahn Gillmor
- Re: [openpgp] Modelling an abuse-resistant OpenPG… Daniel Kahn Gillmor