Request for Discussion: new/PubKeyDistributionConcept/FallbackServer

Neal H. Walfield neal at walfield.org
Tue Jun 14 15:29:09 CEST 2016 

On Tue, 14 Jun 2016 14:47:16 +0200,
Bernhard Reiter wrote:
> Am Dienstag, 14. Juni 2016 14:25:20 schrieb Neal H. Walfield:
> > Before I comment: what an MSP?  
> 
> MSP: mail service provider 
> 
> (I've just taken the abbreviation from the wiki page. 
> It makes sense to read it first anyway.)
> 
> > What does "significantly add to `validity level' mean?
> 
> Getting a pubkey from a MSP operated WKD should add a medium amount
> to the level of "how much do I believe that this pubkey belongs 
> the owner of the email address that I am looking for".
> 
> Medium because it will have to be a lot more than the contribution I get from 
> having communicated with pubkey A and user U once or a couple of time.
> Only medium because other sources of validity will be necessary to detect
> malicious behaviour, so they must be able to get over medium for these 
> scenarios.
> 
> This mainly documents my mental model how a good and secure user experience
> can be constructed in the future. I know that Werner's model is different.
> We need a way to get this exposed and talked about.

Please explain to me how a WKD being run by an MSP is not almost the
same thing as using key escrow?  Let's say Alice's MSP runs WKD¸ I
look up her key using WKD, and her MSP returns the public part of a
fresh key.  When I send her an email, the MSP reencrypts the message
and neither I nor Alice is any wiser.  The only defense against this
is if Alice anonymously and regularly checks that the WKD server
returns the correct public key, which isn't a terribly good defense.

So, no, WKD is not add a "medium" amount of validity to the key.  In
fact, using a key server and guessing which key is right is probably
better than this scheme, because it uses a different network path,
which means your MSP couldn't be compromised by an NSL!

Note: it would be possible to save this scheme if we augmented WKD
with something like Coniks [1], but Werner doesn't like this, because
it adds complexity and will take too much time to implement and we
need to ship in the near future.

  [1] https://coniks.cs.princeton.edu/

:) Neal

More information about the Gnupg-devel mailing list