laying groundwork for an eventual migration away from SHA1 with gpg

David Shaw dshaw at jabberwocky.com
Thu May 21 16:27:41 CEST 2009


On May 21, 2009, at 6:32 AM, Nicholas Cole wrote:

> On Thu, May 14, 2009 at 2:46 PM, Micah Anderson <micah at riseup.net>  
> wrote:
>> David Shaw <dshaw at jabberwocky.com> writes:
>>
>>> I don't mean there are faster/easier/cheaper ways of doing this
>>> mathematically.  I mean boring old subterfuge like going to a
>>> keysigning party with a fake ID, claiming to be someone else.  I  
>>> get a
>>> bunch of signatures, and I'm done.  It skips the whole difficult  
>>> math
>>> problem.
>>>
>>> I'm all for strong crypto protection against impersonation, but when
>>> there is a non-crypto impersonation attack that has essentially the
>>> same end result as a crypto impersonation attack, and the non-crypto
>>> variant of the attack is vastly cheaper, faster, and easier than the
>>> crypto attack, I do start to wonder what the point is of putting a
>>> strong crypto defense against the crypto attack.
>
> I've never quite understood "Key Signing Parties" for this reason.  It
> seems to me that OpenPGP and its web of trust provide an excellent way
> to represent technically and securely trust relationships that already
> exist.  You can't use OpenPGP to create trust that doesn't exist
> outside the system.

Key signing parties can't really create trust relationships, but  
they're not intended to.  Key signing parties are for proving  
identity.  Opinions may vary whether they do that well enough, but the  
intent is just to make a strong binding between a human being and a  
key.  Whether people then choose to trust signatures from that key is  
up to them.

Mind you, I don't think that people at key signing parties verify  
identity particularly well either, but at least identity is a more  
tractable problem than trust.

There is a built-in assumption in the classic web of trust that some  
identity verifiers are better than others.  See the "full" and  
"marginal" ownertrust settings, for example, and there are tunable  
options as to how many "full" signatures or "marginal" signatures are  
needed to establish identity for the user.

David




More information about the Gnupg-devel mailing list