[Freedombox-discuss] Debian as though cryptographic authentication mattered Questions
Hi dkg,
Thank you for the thought experiment. It helped quite a bit. I still have a
few more questions which I hope you can find the time to answer.
> None of these things requires the use of legal or birth-given names.
Thanks for confirming that because the "key signing parties how-to" required
people to bring legal ID and it wasn't clear if your legal names *must* be
in the certs.
>
> I'd be cautious about the claim that pseudonyms "protect
> people's privacy". It requires a lot of work to maintain a
> pseudonym and keep it separate from a "meatspace" identity.
I realise that pseudonyms alone do not protect peoples privacy but it's a
method of obfuscation and another hurdle an identity theft must jump. Never
heard the "meatspace" word before - like it.
> the OpenPGP keyservers aren't centralized; there is a mesh of
> "gossiping" peers, which all publish all keys.
OpenPGP offers many options; self-signed, WOT, CA Cartel and PKCS. Please
confirm when people use the word OpenPGP on this list, is it interchangeable
with the OpenPGP WOT option? It gets confusing for me 8|
>
> Note that WebID only works if you can find the public web
> page in the first place, so it actually relies (in its
> present form) on DNS and the Certificate Authority Cartel.
I am not sure what your point is here. Isn't it difficult to find my OpenPGP
key for the first time too?
For WebID, I need the CA Cartel certificates for SSL to work on the
server-side. Can I use the OpenPGP WOT model as an alternative for SSL to
work on the server-side too?
> > really need a WOT/ CA model for clients? The paranoid side of me
> > wonders can you track someone if you have signed their key
> like openid providers can track you?
>
> The answer is No, at least not currently, in the OpenPGP
> certification scheme.
I assumed that a third party would not trust my key directly, but they would
look for a "government key" and would have to track/confirm that is
definitely the governments key. I realise now that the keyservers "gossip"
amongst themselves to confirm the web of trust and obviously through some
method of obfuscation people cannot be tracked, i.e. if I have a government
key and a third party that wishes to confirm my identity also has a
government key then I can be trusted. Does the WOT tell me/an application
when I can/cannot trust somebody new? Isn't that the reason for the whole
WOT?
> > If/when it's required in the future, I think keys should be
> signed by
> > government agencies as long as they can't track you through signing
> > your key!!
>
> Why governments instead of some other parties? Tracking
> isn't the only issue. Another issue is impersonation. If
> some government happens to be your adversary, they can issue
> themselves certificates in your name, and masquerade as you
> on the public network.
Our governments verify our real world identities, which means they should
also verify our online identities. My guess would be that at key signing
parties you use your government ID!! Having a government sign your OpenPGP
WOT key and everybody else in your country grows your WOT exponentially
faster. Of course, if your government's key has been signed by other
governments then you have access to the whole world. This would be so much
faster at building a WOT than key-signing parties. I realise now, I should
take advantage of that WOT to have people sign my keys so that if my
government were to become my adversary, thereby revoking my key I would
still have a WOT.
How would having a large WOT stop my government masquerading as me?
>
> -----------------
>
> Here's a thought experiment about who should be an
> "acceptable" certifier:
>
> Imagine that you and i met up in a cafe to chat about these
> things. We have a nice discussion (without coming to perfect
> agreement, naturally), drink some lemonade, exchange key
> fingerprints, eat some tasty cookies, and go home.
>
> Later, you get a communication over the network that purports
> to be from me, inviting you to connect to a server that i run
> that hosts, say, a jabber service you might want to use.
>
> How do you know that the message came from me in the first place?
> Should you need to trust a government to identify me? What
> about a member of the CA cartel?
>
> Let's say you decide to connect to the jabber service my
> message refers to; is this the right service? Should you
> need to rely on a government to properly (cryptographically)
> identify the service? What about a member of the CA cartel?
>
> My point is that we can bootstrap *all* of these
> authentication questions entirely without the aid of any
> government or CA. And then we can build nice things like
> authorization and confidentiality based on that
> authentication. The insertion of a government or a member of
> the CA cartel, or any other third party into this story can
> only weaken the integrity and confidentiality of the
> communications involved.
I agree.
>
> -------------------
>
> The next step to the above hypothetical of course involves
> people who haven't had a chance to meet together in a cafe.
> Does the government or the CA cartel become more useful in
> that case? What if the people involved have a mutual
> acquaintance or two?
So the problem is how do you grow a WOT without a government or a CA Cartel?
The CA Cartel wouldn't sign OpenPGP WOT because that would put them out of
business!! In the absence of government, I think the Foundation should sign
the Owner's key of every FBX sold from their online shop. The owner could
then sign the key of every local user account created on the FBX.
A person's credit card could be used as a means of ID, as long as the
billing address matches the delivery address. If you were to buy an FBX as a
gift, then you could sign your addressee's key with your key. Of course, I
am assuming that the credit card companies WOT is sufficient for key-signing
and that signing a key is as simple as creating a self-signed WebID
certificate. The real test for this proposal would be if you agreed to let
the FBX Foundation sign your key knowing that the Foundation are signing for
every FBX sold?
I look forward to your response.
-- fiftyfour
Reply to: