1

Let's say that there is a company who needs to make a few employee's OpenPGP public keys publicly available for customers of the company over the Internet. Distribution of the keys would be simple, but how can this company ensure that these keys truly belong to those employees?

One way to do it is to make a webpage which is available only over HTTPS (prevents MitM attacks). The web-server certificates are encrypted by a trusted certificate authority (ensures that web-page actually belongs to that company). This web-page then contains the public keys of the employees.

Is there a better (more secure or easier to use) way to achieve verification of the public keys identity?

Physical distribution of public keys is unfortunately not possible in this case.

INV3NT3D
  • 3,977
  • 3
  • 14
  • 25
Martin
  • 361
  • 2
  • 8
  • 16
  • 2
    What's the problem of making the **public** key **public**? Why do you need to secure the transport? – Steffen Ullrich Oct 19 '16 at 15:16
  • 1
    I think the issue is that Public Keys need to be attested to - they are public, yes, but they must be the RIGHT public key for the RIGHT person. I think server over TLS from a domain appropriately associated with the company is a reasonable way of doing this, yes. – crovers Oct 19 '16 at 15:46
  • 1
    I don't think it makes sense to guess what the OP means, i.e. if he does not understand the concept of public keys, means private keys or cares more about making sure that the association between user and key is not lost. As long as the OP does not clarify the question I recommend to close it as unclear. – Steffen Ullrich Oct 19 '16 at 16:01
  • 1
    Sorry if my question was bit unclear. @crovers That's exactly what I meant. – Martin Oct 19 '16 at 16:07
  • 1
    Martin, I have edited your question to reflect your comment and deleted my answer as it doesn't pertain to what I assumed your question was. Please roll back my edits if they do not properly represent your question. – INV3NT3D Oct 19 '16 at 16:38
  • I'd say that for a basic solution what you're suggesting would be fine. you're essentially saying " the person that controls this website says that these keys belong to these people" which isn't bad (assuming you have a reasonably secured website). Another option if you make use of social media sites like github would be keybase, which can tie a key to an identity on those sites. – Rory McCune Oct 20 '16 at 13:24

3 Answers3

3

You want to guarantee that the key you give out isn't compromised on the way to the recipient. The easiest way is to use an authenticated, encrypted communications channel such as HTTPS (as you mentioned in your question). Sites that fit this criteria and are publicly available, and are made specifically for distributing keys already exist and are easy to use. A common site is https://pgp.mit.edu/ but there are others as well.

Really, the biggest benefit to a site like MIT's is that you don't have to worry about setting up HTTPS. If you have your own HTTPS site already set up then you could just as easily add a page with your organization's public keys.

Some other options that I think are less convenient:

  • Send the recipient an email that you signed with your key. This includes the public key by default. If you are concerned that the email will be tampered with, then call that person and have him verify the key's fingerprint. It is short enough that over the phone verification isn't unreasonable.
  • use a VPN to create a secure channel and transfer the key over the VPN.
  • get a mutually trusted certificate authority to sign your public key.
Owen
  • 574
  • 5
  • 9
  • 3
    The public keyserver sites generally make no effort whatsoever to verify that the key really corresponds to the claimed identity. Relying only on HTTPS in this case is insufficient: you are only guaranteed that it is really MIT (or whoever) that is relaying this possibly fake key to you, as it was provided to them by an unknown and unidentified person or entity. HTTPS *on your own site* makes much more sense, especially if you have an EV cert or if your domain name is well known. – John Morahan Oct 19 '16 at 16:50
  • @JohnMorahan But that isn't a big concern if you upload the key yourself, then give out the link directly to that key – Owen Oct 19 '16 at 16:55
  • 3
    but then you still need to distribute the *link* securely... – John Morahan Oct 19 '16 at 16:57
2

PGP is designed to use a "web of trust" to authenticate public keys. There is no central authority (like a CA) for PGP, so you need to have other people sign your key.

To validate a key, you compare how much you trust the people who have already signed it, with how much you trust them. If you see only one signature, and it's from nobody you know, then maybe you shouldn't trust it much. But if it's signed by five people, and one of the signers is your boss, you would probably trust it quite a bit.

Web of trust -- signing

Key signing is important to PGP, but it's hard to understand at first.

When you sign a key, you consider two factors: how well do I know you are who you say you are, and how much do I trust you to check other people out before you sign their keys?

If you were my best friend, I would attest that you are without a doubt Martin. But I don't know you at all, so today I wouldn't sign your key. Now, let's say we met at a conference, and you asked me to sign your key. I'd ask you to show me your driver's license first. I'd sign your key then, with a level that matches my confidence that your license wasn't forged.

But I still don't know you as a person. I don't know if you're responsible type or not, so I wouldn't place any trust in your ability to be careful when checking out other people. But my best friend is a very careful person, and I would also trust him to check out other people very carefully before signing their keys. So I would sign my friend's key and attest that my level of confidence in him is very high.

Web of trust -- using

So now you have a public key from someone. How do you trust it is actually their key? You look at the signatures. You look at who attested to the authenticity of this person. Are those signers people you trust? Are they famous people? Are they just random strangers? Did the signers place a lot of trust in the key, or just an acknowledgement that they signed it. If the signers are people you trust, you'll quickly accept it. But random people? Maybe you can trust it if enough of them signed it. And that's where you set your threshold level of trust. You'll trust a key that your best friend signed. You'll trust a key that your best friend said was signed by a good guy, but maybe not one where your friend said "I don't know him well." Otherwise, maybe you'll choose to trust it if it has 10 or more random signatures.

Ultimately, there is a "strong set" of about 50,000 signers who people around the world do trust. If two or three of them have signed a key, it's a strong indication you should trust it, too. People from that group are who you really want to sign your keys in order for members of the public to trust yours.

Organizations

So now you have some people in your organization you want to entrust with PGP public keys. How do you get their keys trusted? First, have them sign each other's keys. Then, get them signed by others. Lots of others. Post those employee's public keys on your official web site's "contact us" page. What you want is to establish many connections into the web of trust so that many people, some of whom are well respected and trustworthy, have attested that these employees are who you say they are.

John Deters
  • 33,650
  • 3
  • 57
  • 110
-1

A company can simply run its' own keyserver and control all the keys on it, usually on a server named keys.company.com.

There is SKS for Linux et al or if something for Windows is required, there is an Enterprise KeyServer: https://www.giepa.de/products/enterprise-keyserver/?lang=en

Tomato
  • 1
  • Your answer doesn't point out how manipulating the keys on delivery can be made hard. – UTF-8 Oct 20 '16 at 13:03
  • You mean MITM attacks? If you can't trust an SSL connection to a keyserver then you will need to validate the key in a different way, e.g. verbally compare fingerprints. – Tomato Jul 05 '17 at 16:09