Request for Discussion: new/PubKeyDistributionConcept/FallbackServer

[Neal H. Walfield]

On Wed, 15 Jun 2016 10:26:15 +0200,
Bernhard Reiter wrote:
> Am Dienstag, 14. Juni 2016 15:29:09 schrieb Neal H. Walfield:
> To give my personally summary (of my current state):
> Right now I believe that the introduction of WKD will have a better overal 
> security balance, because many more communication partners and 
> many more encrypted emails.

But does it create a false sense of security?  We want to be better
than x509, right?  If not, then just use S/MIME.

> > The only defense against this 
> > is if Alice anonymously and regularly checks that the WKD server
> > returns the correct public key, which isn't a terribly good defense.
> 
> I claim that there are more defense possibilities and it is better
> to trust a number of MSPs a bit that you will have to give some trust
> anyway. (They could always just chose not to deliver an email
> and send their own encrypted email to Alice.)

To prevent a MitM, you need a secure channel.  You can decrease the
change of a MitM be using multiple insecure channels.  These insecure
channels can be either in space (different network routes) or time
(last year, last month and yesterday).  This is what TOFU exploits.

WKD uses a single insecure channel multiple times.  This does not add
trust.

> The big problem we are trying to solve is that for many user
> groups we need to design a system that does not require advanced experience 
> with crypto concepts. To overcome this obstacle we try to find one
> pubkey that is (medium) likely to belong to the person that controls the email 
> address I want to encrypt to.

Well WKD doesn't get you medium assurance.  Or, you idea of medium is
much different from mine.

> So it can be done automatically in 99.9% of
> all cases. As you can see from the discussion in the wiki, WKD can be helpful,
> but leaves the atack vectrr of the MSP oben. It is much better than chosing a 
> pubkey from a public server where everybody can upload rouge pubkeys,
> because the attack against an MSP is much more expensive and there
> are many MSPs to chose from. You could chose some residing in a country that 
> does not have national security letter like the US has.

I disagree.  Using a key server means you get multiple routes, which
is better.

> However I believe because of 
> other reasons, that end-to-end encryption with OpenPGP needs to do something 
> and thus a more lightwright approach is good. Once a system linke CONIKS is 
> there, we can switch to it with comparatively small efforts.

I disagree.  AS I've stated in other mails, I think it will be harder,
because MSPs will rightly see that Coniks increases their liability
and they can say that they already implement a security measure.

:) Neal