Web of Trust in Practical Usage

[Daniel Kahn Gillmor]

On 05/09/2013 12:49 PM, Gregor Zattler wrote:

> There are no ownertrust paths but the pathfinder shows me how
> many disjunct paths are possible from my key to the other key.
> 
> An attacker would have to introduce fake signatures in every of
> the disjunct paths.

This is trivial to do.  I suspect the main reason no one has bothered to
do it is because no one is currently (that i know of) trying to use some
sort of voting scheme in what is effectively an infinitely large pool,
which would make them vulnerable to this attack.

Please don't start using (or encouraging other people to use) such a
voting scheme.  It is not a reliable or responsible mechanism in this space.

> Since I choose the first nodes on the path because I checked
> their identity (papers) and signed their key, I have some means
> of making the attack more difficult.

if you're counting distinct paths, those paths can start anywhere in the
chain.  so if you say "i will make this more difficult for an attacker
by only having ever signed the key of Alice", then your adversary just
needs to get one key signed by Alice before they start injecting false
identities, rather than getting a key signed by you.  This is not
significantly more difficult, and you have no way of knowing if it is
happening or not.

The responsibility ultimately rests on you to decide whose identity
certifications you are willing to rely on.  using a voting scheme is
nearly equivalent to saying "anyone who has a key, i will rely on in the
same way as anyone else".  This choice is disastrous in an environment
where it is easy to create and control "sockpuppet" accounts with their
own keys, and those accounts/keys are indistinguishable from "real"
accounts/keys.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130509/e8b078ac/attachment.sig>