24

[PGP] can get paralyzed by excessive analness. — Phil Zimmermann

Preamble

I am in the process of building my own web of trust. That is, I want people (PGP users…) to be—fairly—sure that, by using my public PGP key, they are actually communicating with the real me (which can be achieved by checking who signed my public key, and if they seem trustworthy, then I could be too).

When my [public] key will have enough trusted signatures, my own signatures on other people’s keys will have much more sense. Bad-case example scenario: I sign Mallory’s (a bad guy) key, then one year later, my key is signed by, say, a Debian maintainer (a very trusted guy). If that guy is trusted and signed my key, then it means I am trusted too; and if I am trusted too, it means that Mallory is trusted too, right?

Question

I sign other people’s public keys with the following GPG command (on Linux):

gpg --ask-cert-level \
    --cert-policy-url http://diti.me/pgp/ \
    --sign-key 0xFFFFFFFE

The above command enables me to sign the 0xFFFFFFFE key with a policy URL (giving out info about how I verify and sign the keys) and allows me to choose:

How carefully have you verified the key you are about to sign actually belongs
to the person named above?  If you don't know what to answer, enter "0".

   (0) I will not answer. (default)
   (1) I have not checked at all.
   (2) I have done casual checking.
   (3) I have done very careful checking.

The question is: Can I sign, with level 3, the key of a friend I have been knowing for several years? Needless to say I trust him (& his seriousness in keysigning), and would still perform careful checking (extended questioning, adding a TXT field in his domain name’s records, and so on?).

Phil Zimmermann wanted people to use PGP, not simply geeks. I want to avoid what he calls “excessive analness,” whilst still being considered as a serious person (for the web of trust matters). As such, I would like to mix the two together: to simplify the verification process for friends whose I can accurately verify the identity and key, while not breaking my WoT.

Hopefully my question and concerns make sense.

Diti
  • 814
  • 9
  • 17
  • The “I have been knowing for several years” bit of my question is relatively significant, because it implies that I know enough about the person to be able to confirm his/her identity; the only thing left to me is to verify/validate that he/she is the actual owner of the key. – Diti May 09 '13 at 22:53

3 Answers3

17

In the end, you can sign whoever you want to. There's nobody to control you and nothing to check what you're doing (and how you're doing it).

I would consider signing a well-known (to me) person's key valid, if I can be sure I'm receiving his key untampered over a secure channel. If you're totally sure to be able to recognize his voice or make some other check it's the right person (eg. by asking questions only he is able to answer on the phone), I'd be fine with signing a key this person sends me over this established trustworthy connection (eg. by speaking it into the phone). I'd not be fine with signing a key found on a keyserver (everybody can upload keys for arbitrary UIDs, have a look at all the president's keys) or received in an unsigned (without a signature by another already trusted key) e-mail.

Trust in Identity

When you give a "sig3" on your friend's key by using the gpg sign command, you certify you're (pretty) sure he really is the person he pretends to be using his UIDs. When the Debian maintainer signs your key, he's certifying that you are the person you're pretending to be.

That's all for now. Neither you nor the Debian maintainer made any statement on whether they trust in your capabilities (or your friend's) to carefully perform key signings.

The signing policy you mentioned can help others to decide on how they put trust in the signatures you issued.

Trust in the Person's Capabilities and Motives ("Vouching")

If you're sure that your friend is capable of reliably signing other keys, you can put another kind of trust on his key using gpg trust. Using this, you can order GnuPG to regard the signatures issued by your friend as if they're issued by yourself.

This information is only valid for yourself; it is neither included in keyservers nor otherwise exported keys:

A key's trust level is something that you alone assign to the key, and it is considered private information. It is not packaged with the key when it is exported; it is even stored separately from your keyrings in a separate database. (from the GnuPG manual)

Having (multiple) trust paths ("identity signatures", the kind of trust I explained first in this answer) to some unknown can be read as hint everything should be fine, but remember you're trusting everybody in the trust chain right now. Most of the people are honest and well-capable of performing valid signatures, but haven't you ever been perceived by somebody you wouldn't have expected it of? If somebody really has a reason to fraud you, he might be able to somehow get a chain of trust on some weird paths.

There is an excellent article about trust in OpenPGP: There's Trust and Then There's Trust and Then There's Trust.

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
  • Kudos for this well-understandable, detailed answer! Your explanation is great because it relates my case (you are talking about my friend), while still being general enough for other readers to understand. Anyway, if I get it correctly, “trust in identity” and “vouching” are both labelled as “trust” in GnuPG, but the first should actually be labelled “ownertrust”, shouldn’t it? Thank you kindly! – Diti May 09 '13 at 22:49
  • 1
    Funnily enough, the blog post you linked to at the end [gave me an "untrusted" error message](http://i.stack.imgur.com/qpElJ.png). – IQAndreas Sep 17 '14 at 14:56
  • The article is also in the web archive, I changed the URI. – Jens Erat May 12 '15 at 20:33
  • 2
    The sad truth is the vast majority of people signing GPG keys are not experts in detecting document forgery. I am quite convinced that with a half-decent false passport it would not be difficult to get many well-connected and widely trusted people to sign your key. – Peter Green Mar 16 '18 at 19:40
  • 1
    You're right: take one of those barely secure pre-2017 Italian Identity cards (typewritten and a stapled passport image on folded cardboard) to a key signing party, and probably nobody will even care. – Jens Erat Mar 18 '18 at 21:23
10

If I don't know you beforehand, then what sense can it have, for me, to be fairly sure that I communicate with the real you ? For all I know, I cannot be sure that you exist at all, and your existence will remain irrelevant to me as long as you do not interact with me.

That's the main, big, blatant failure of PGP's Web of Trust: it tries to ensure strong linking of public keys to identities, without bothering to first define a consistent notion of "identity".

For instance, right now, by this very message, I begin interacting with what I can assume to be (plausibly) some sentient being (presumed human, then) who somehow chose, for that one question, to go under the pseudonym of "Diti" and a face which looks vaguely like a duck. If I want to exchange confidential emails with that human entity, then I will want to send the messages to "the Diti who wrote that specific question in security.SE". That is the notion of identity I would want to use. PGP's key signing would link some public keys, that I don't know beforehand, to email addresses, that I don't know either ! To be effective, people who "sign keys" would have to sign statements like: "I, bob@example.com, guarantee that public key 0xA7C083FE really belongs to the guy (or girl) who wrote the 'Is it okay to sign a PGP key without an IRL meeting?' question on security.SE on My 9th, 2013".

You can meet all the Bobs on Earth and have them all sign your key, with the highest "checking levels", it won't give me any useful information. Linking your private key to your name or email address has no meaning to me, unless I already know you for some other reason -- at which point the WoT with its automatic chaining through complete strangers just loses any relevance.

There is another side to the same question: why would you want to guarantee, with such implacable strength, that a given public key is really yours ? If it works, it will only make all your signed messages traceable to you, and usable as proofs against you. That's like bringing your own shovel to a cemetery.

In the case of digital signatures, nobody in his right frame of mind should actively pursue the possibility of producing signatures. What we want is other people to generate signatures.

Therefore, my answer is that you can sign keys with whatever "policy level" you wish; it won't break PGP's Web of Trust because there is nothing to actually break.

(Which is kind of a blessing. A world where PGP's Web of Trust works is a world where everybody is uniquely identified, pinpointed in space and time, and globally accountable. When you come down to it, that would be quite Orwellian, i.e. awesome but scary.)

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
1

The fact is the web of trust is not terriblly secure. The vast majority of people doing keysigning are doing it based on a fairly cursory look at the person's ID. Get a somewhat convincing fake passport and you could easilly get signatures in whatever name you wanted.

Compared to that having known someone for years looks positively secure.

What you do want to do is be sure the person making the request is who you think it is. If it's someone you know well personally having them read out the key fingerprint over the phone is probablly reasonable in addition to any online checks. This helps to verify that it really is the person you know and not merely someone who has stolen their account credentials.

IMO the main thing the web of trust does is protect against "internet fuckwads".

Peter Green
  • 4,918
  • 1
  • 21
  • 26