Modified user ids and key servers and a possible security risk?

Grant Olson kgo at grant-olson.net
Thu Aug 26 01:27:58 CEST 2010 

On 8/25/10 5:49 PM, Daniel Kahn Gillmor wrote:
> On 08/25/2010 03:28 PM, Grant Olson wrote:
>> (1) Verifying that the keydata hasn't been tampered with, like editing
>> in a hex editor?
> 
> this isn't very meaningful -- data is data, and you can't actually tell
> if it's been touched by a hex editor.
> 

I was thinking of that for the case where Tomas, the OP, managed to
upload a key to a keyserver that gpg was rejecting as invalid.  Should
the keyserver reject something with a corrupt sig in advance?  But I
guess you're already talking about that below...

>> (2) Only accepting keydata that has been signed by the key owner?
> 
> for self-sigs of algorithms that the keyserver understands, that's
> certainly a reasonable requirement.  This would allow keyservers to cull
> bogus self-sigs, bogus primary key revocations, and any associated data
> (e.g. be willing to drop any user ID that has no valid self-signature
> associated with it).
> 
> ...
> 
> And that's *just* for the self-signatures.  Deciding how to cull the
> non-self-signatures is an even larger can of worms.
>

The one big use case people throw around for keyservers with crypto
support is that keyservers could then honor the 'keyserver no-modify'
flag.  I'm not really too concerned with that, but I guess I'll frame
the conversation as that being the killer feature that crypto would
accomplish.

I was originally thinking, "How do you verify third party signatures?"
and the initial hacky answer seemed to be have the submitter sign the
keydata, not with a self-signature, but with a standard signature on the
whole file.  Less hacky solution proposed below...

>> (3) Possibly accepting keydata signed by trusted keys, for example peer
>> keyservers that that also perform the same verifications?
> 
> ugh, no, please.  i'd rather not turn keyserver operators into
> certifying authorities.  This would also introduce massive syncing
> problems, since each keyserver operator might choose to rely on a
> different set of peers, and would therefore accept a different set of
> certifications.
> 

I think for this and (4), I was out-thinking myself.  How would
keyservers trust each other enough to sync?  Or re-create the chain of
custody?  Would a pool of servers even be possible since syncing is
propagating data via a third party?  I wouldn't want a solution where
you couldn't sync between two servers.

Anyway, after some googling, it looks like there's a third-party
confirmation signature type in the spec.  I'm not sure exactly how that
works, but that seems like the less hacky way to deal with things.

A brief look at the rfc makes it look like I could certify the third
party sigs on my own keyring.  If that's right, maybe that's the only
way a keyserver would import third party sigs when no-modify is set.
You could have the keyserver:

(1) Perform crypto on self-sigs, only upload a key if the self-sigs on
the packets check out.

(2) If the newly uploaded key has the no-modify flag set, only add
third-party keys that have a "Third Party Confirmation" from the
original keyholder.

That seems like a reasonable solution if I'm understanding the
confirmation signature correctly.

Regarding a crypto algo that the server doesn't understand, or one
that's been flagged as 'weak' in the configuration, I think the server
would just have to reject that info.

-- 
Grant

"I am gravely disappointed. Again you have made me unleash my dogs of war."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 559 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100825/17c44cc1/attachment.pgp>

More information about the Gnupg-users mailing list