7

Can I use a trusted X.509 digital certificate to facilitate the expansion of my personal web of trust?

To be more specific:

  1. Can I use my X.509 certificate to sign my personal GnuPG master key?
  2. Will recipients be able to use the CA's certificates to verify that the public key is indeed mine?
  3. How does this compare to current web of trust expansion methods such as the key signing party when it comes to the trustworthiness and authenticity of my public key?
  4. Would this provide enough security for someone who doesn't know me personally to sign my master key?

When researching this topic, I came across this page about key signing policy:

Signing PGP keys with X.509 certificates

While a certificate from a CA is no real basis for trust in a PGP key, it may serve as a reasonable substitute when no other options are available.

Why would a signature from a national certificate authority not make a published key trustworthy?

My country implements a public key infrastructure around the PKCS #7 and X.509 standards. Their process is as follows:

  • CAs meet cryptographical requirements and get their keys signed by the government.
  • Users pay a fee to verify their identity with and get a digital certificate issued by the CA.
  • Certificates are issued most often as smart cards and enable legally-binding digital signatures.

It seems to me that the CA is equivalent to a person in the web of trust whose signatures can be fully trusted, as per the GnuPG documentation:

The owner has an excellent understanding of key signing, and his signature on a key would be as good as your own.

If my key can indeed be signed by such a certificate, how can a recipient of my public key not be sure it is mine, given that my identity has been personally and rather thoroughly verified by the CA?

Related Information Security.SE questions I found:

There seems to be a lot of conflicting information in a lot of different places. If a signed OpenPGP or GnuPG public key is the same thing as a X.509 certificate, how can the signatures be incompatible? Also the trust systems seem to be analogous to one another, save for the amount of bureaucracy involved.

Community
  • 1
Matheus Moreira
  • 321
  • 3
  • 16

1 Answers1

4

Can I use my X.509 certificate to sign my personal GnuPG master key?

Technically, yes, you could use the private key associated with your certificate to sign the X.509 public key, as a statement of authenticity from the X.509 cert. However, I suspect you're really asking "is there an existing integrated implementation of this which is ready to be used?", and the answer to that (as far as I'm aware) is no.

Will recipients be able to use the CA's certificates to verify that the public key is indeed mine?

Assuming you're talking about using the CA certs to verify that the PGP public key is yours, no. You have to distribute the public part of your X.509 certificate (what we would typically just call "the certificate" - the private part is usually called "the key") to all clients who want to use it to verify anything. In SSL/TLS, this distribution happens at the start of the connection, after the ServerHello packet is sent - the server directly provides the client with its certificate. In your case, you'd have to work out some way of distributing your certificate to people. You'd also need to be able to distribute the signatures, which wouldn't be attached to the PGP keys themselves (although you could likely jury-rig the signatures into the same extensions that WoT implementations use).

How does this compare to current web of trust expansion methods such as the key signing party when it comes to the trustworthiness and authenticity of my public key?

It's more cumbersome, lacks a real implementation, and merges two ecosystems that are designed to be separate. Web of trust allows other users to sign your public key with their private key, and publish those signatures.

As a scenario, imagine that Alice and Bob live in the same town, but I moved away and can no longer come visit. We all talk over email, signed with PGP. Before I moved, we all got together and exchanged public keys in person. Alice has just suffered a disk failure and didn't make a backup, so she has lost her keypair. She creates a new keypair, but I don't have a way of validating it. However, I trust Bob. He signs her public key with his private key, and distributes that signature. I can then trust Alice's signature by proxy, without ever validating it myself.

Introducing X.509 into this is painful. The certificate distribution alone is a major headache. If the CA goes rogue, they can issue arbitrary CAs and start socially engineering people into accepting new cross-signed keys. The other problem with an automated approach to key distribution is that it only takes one CA to go rogue - this is currently the case with PKI (especially HTTPS) and it's a major problem that we don't have strong solutions for (aside from certificate pinning).

Would this provide enough security for someone who doesn't know me personally to sign my master key?

That's subjective. My personal answer would be no, because I don't trust the CAs to be foolproof. It makes a certain amount of sense to use web-of-trust within the PGP ecosystem itself, because the sphere of influence is each person's system, key changes are infrequent, and the system is designed from the ground up to work with email. Introducing X.509 and PKI just turns everything into a mess, and moves the sphere of influence out to third-party CAs.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • `Web of trust allows other users to sign your public key with their private key, and publish those signatures.` – Can you please clarify in your answer how the web of trust works in this regard? I'm having difficulty visualizing the mechanism through which it allows users to publish their signatures. – Matheus Moreira Dec 15 '15 at 15:57
  • Suppose I have a website and a certificate. I then place my public key and its fingerprint on a web page. Does that mean the user will receive my certificate automatically through TLS? It's true that nothing guarantees that CAs are foolproof, but perhaps it could serve as a signature just like the user signatures on the key. The user would then decide if he trusts the CA. If it goes rogue, everyone would revoke their trust. I'm not sure if the GnuPG system can recognize the X.509 signature, though. Is that what you meant by `lacks a real implementation`? – Matheus Moreira Dec 15 '15 at 16:11
  • 1
    @MatheusMoreira To answer the questions in your second comment: you could use an X.509 certificate for your website, issued by a CA, but that's not the same as an identity certificate for a person. However, if people recognise the domain as yours (e.g. from your business card) you could distribute your public key via that site and use the fact that it's valid SSL to provide some assurance, moreso if Extended Validation (EV) is provided. – Polynomial Dec 15 '15 at 16:38
  • 1
    @MatheusMoreira With WoT the signatures are distributed via some kind of central lookup service, just like regular keyservers. Alternatively you can just email the signatures to each other. The distribution isn't really critical. – Polynomial Dec 15 '15 at 16:40
  • @Polynomial Regarding your 2nd point about distributing the public certificate, would it make sense to use PGP "notations"? Specifically to S/MIME-sign your UID and attach both that S/MIME-sig + your X.509 certificate as notations on the self-sig of that UID for some PGP key you own? That way, you can develop a small script that can X.509 verify your PGP-key. – ankostis Jan 08 '17 at 02:45