2008-11-29 22:31:25

Trust based PGP key signing

As a visitor here at rgb2r is now moving to another planet a far-away country, the discussion came up again how to do PGP key signing properly. Originally, the requestor asked for passport based signing as done on most of the so-called PGP key signing parties. However, for the following reasons I will not sign passports and don't want passport based signatures.

Party signing

In the normal PGP key signing party based approach, all that is required to obtain a signature is a passport or identity card. The signer verifies that the signee looks like the person on the picture and then signs the key. For this, the signer does not have to know or trust the signee. The signer then submits the key to a key server and the signee can download it from there.

This method allows one to accumulate a lot of signatures over a short time, and to extend the network of signatures very quickly. However, it contains various flaws:

  • There is no trust relation between the signer and the signee, so the only thing that is attested by the signature is, that the signee has certain similarities with the documents he/she presented.
  • However, especially in multinational keysigning parties, these documents can rather easily be forged so that an untrained eye cannot detect the forgery.
  • There may be valid reasons not to want to show one's ID. For example if one's in possession of a diplomatic passport, one might not want to show it to everybody because it might be met with suspicion, or it might compromise the position of the owner of the passport to have everyone be aware of the status.
  • In some cases, people may have valid reasons not to disclose their real names, especially if they're working in IT security, if they are political activists or live in a totalitarian regime. But even under normal circumstances, it should be accepted if a person does not want to disclose his/her real name.
    Some people are not even known under their real name at all, and thus a signature on their real name would be rather pointless.
  • The associated addresses need not automatically belong to the signee.

There are probably many more problems this model is arising by its lack of trust dependencies or its focus on the passport as the sole base of trust, but these are the most apparent which came to mind.

Trust signatures

The so-called trust signature scheme follows an entirely different dogma. In this scheme, people knowing each other know enough will sign each other's key in order to testify that they are willing to testify that the signee is known as the person he/she claims to be. This of course implies a much greater level of familiarity between the signer and the signee.

Note that in this scheme, it is perfectly valid for the signer to sign a key belonging to a pseudonym — if that's what the signee is known as. That may sound suspicious to a person who's used to attesting passports, but in the end it is much more logical because in the end, the signer attests only what he knows about the other person, without relying on a paper he cannot verify.

Also, some more unrelated improvements come to play. In order to verify UIDs, the signer creates signatures for each individual UID and sends these individually to the mail address in the UID, in an encrypted mail. Then, the signer deletes the signature from the local keychain again. This sounds tedious, but there are good scripts to take care of that, such as, for example, caff from the pgp-tools package.

In this scheme, it is assured that the owner of the UIDs is at least aware of the signature that took place, and can decide whether or not to upload the signatures. On the other hand, a pseudonymous signer can participate without any loss of the trust relationship.


Posted by Tonnerre Lombard | Permanent link | File under: security, chaos