How to show TOFU / Web Key Directory trust in Mail user Agents
Andre Heinecke
aheinecke at intevation.de
Fri Jun 10 10:35:08 CEST 2016
Hi,
I'm currently writing a plan how we will implement support for TOFU in KMail
for signature states this is relatively clear to me. We only show a "Green" or
Valid / Trusted signature once we have the reached the "Key with enough
history for basic trust" state. Well actually we will probably follow what
GpgME tells us.
But for sending I'm unsure how to handle encrypting to a recipient that does
not have enough history for basic trust.
Currently KMail warns if a Key for a UID is selected where the UID Validity is
less then Marginal. In the Future [1] we want to show an icon representation /
and simplified Tooltip of the Key Validity next to the Recipient entry field.
Where a click on the Icon would open a Details dialog with more explanations.
Unknown / key without history: Some kind of Warning / Question Mark Icon and a
tooltip with something simple like "Security Unkown".
But the next point is where I am unsure about:
Marginal / key with too little history for basic trust: I'd like to show
something like "Security Good" / Green check mark in that case already.
Because:
a) Encrypting with this key means you are already protected against all
passive attacks and just using OpenPGP is way better then sending an
unencrypted mail.
b) We are using TOFU (Trust on _first_ Use) not TOTU (Trust on tenth use ;-) )
c) I don't know what else the user could do to increase that trust in the Tofu
model. "Hey please send me 10 more mails before I will respond to you with all
my secret data."
Full Details with TOFU History would be available on click in the details
Dialog for technically interested users.
But of course this leaves you open to an attack that would prompt you to
encrypt data to a Mail Address, sent in a signed Mail and the Reply would
already show "Good" security as you have verified one signature from that key.
Because of this I was critisized that this is a too "relaxed" UI and that we
should rather show some "There is no indication that this Key belongs to the
User" warning for cases where TOFU Trust is "Key with too little history".
Which leads me to another Problem. How to show / handle the case where a Key
was obtained from the Drafted Web Key Directory [2]. In this case there is
already an indication that the Key belongs to the owner of the Mail account as
the provider / web key service told us this. But in the TOFU Trust model this
key would be handled like a key with too little history.
I think ideally such a key would be treated like a key with enough history for
basic trust as an Attack would have been more expensive then just "tricking"
the user into verifying one mail.
Do you have any suggestions how we should handle this in the UI? And how to
treat Web Key Directory keys?
Regards,
Andre
1: https://phabricator.kde.org/T2520
2: http://www.ietf.org/id/draft-koch-openpgp-webkey-service-00.txt
--
Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160610/08b48081/attachment-0001.sig>
More information about the Gnupg-devel
mailing list