Is the PGP Web of Trust / Keyserver infrastructure permanently broken?

Question

I love the idea of decentralized trust, the web of trust, and the fact that anyone can run their own keyserver and isn't beholden to a centralized point of failure. But does the decentralized "feature" of the web of trust and the keyserver network make it effectively broken as a method of trusting others? Take for example this criticism:

What bothers me about existing keyservers? I used the phrase "fundamentally broken" not to be all trashy, but because I think there's something broken in the fundamentals. The fundamentals involve PGP itself, and are perpetuated by the keyservers:

1. The web of trust is really dangerous. I love the idea in theory, but I've been to a key signing party with a whole bunch of smart programmers and it was a mess. It was confusing enough that I don't think I feel comfortable generally trusting most edges in the graph.

2. Anyone can claim to be any email address and push it to a keyserver. This produces pretty dangerous behavior, if you just choose to look up someone by email address (or get contacted by the impostor and look up by fingerprint.) A counterargument to this is of course that the web of trust will isolate this fake account, but I have sub-problems with this: (a) people may ignore the WoT, and (b) it's very easy for an impostor to get into the web of trust. As an example, it's easy for someone to show up at a key signing party with a fake ID. Not all keysigning parties are among people who know each other, and in fact, many happen at meetup type events.

This bothers me very much, because there is a lot of truth to this. The fact that anyone can post a key to a keyserver and it's automatically published (i.e. without verifying that they can receive email at all addresses associated with the key, and decrypt messages with that public key that is pushed to the keyserver) is a big problem. And the entire "web of trust" is based on our assumption that others who have signed keys within the web of trust are themselves trustworthy.

Are these elements of the PGP infrastructure inherently broken? Does the decentralized nature of trust and the keyserver network inherently allow for the infiltration of untrustworthy characters?

Answer 1

Yes, it is broken, if you're

• confusing the different kinds of trust (nice article, sadly the page is offline, but archive.org has it),
• using it wrong (eg., just fetching any keys as described in your question) or
• want to make others use it without educating them.

The basic idea is totally fine, but you have to be somewhat picky whom to trust (a.k.a. the Vouch, see link above). The concepts behind OpenPGP are rather complicated, and have to be applied with care.

Trusting others is a difficult job, and other trust systems aren't any better - the problem is just a little bit different.

---

Being specific to a single point:

As an example, it's easy for someone to show up at a key signing party with a fake ID.

This is only a problem, if you arbitrarily trust anybody. Also: There might (and probably always will) be some people who wouldn't realize when somebody brings tampered documents. But with the amount of people joining the party, chances increase somebody will realize. And if someone does, he will be very clear on that. Brining a fake ID card to a key signing event is brave, I'd probably rather go for individual key signings to do so.

Answer 2

Yes, sadly there is considerable consensus now that the PGP Web of Trust / Keyserver infrastructure is profoundly broken.

There were signs for decades that the idealistic people behind this architecture weren't addressing the extreme usability issues and lack of robustness of their approach, but they did not have the resources and vision to deal with those hard problems. They and those who followed their advice got severely burned, unfortunately, when the keyserver network was itself dealt some severe blows. And they no longer even had people who were willing or able to fix the obscure OCaml code in the keyservers, though that might change to some degree.

See:

• OpenPGP Certificate Attack Worries Experts \| Decipher news on the poison certificate attacks in 2019

• Are SKS keyservers safe? Do we need them? by the frustrated author of keyserver-fs

• SKS Keyserver Network Attack: Consequences deep frustration from a keyserver network pioneer, Robert J. Hansen with responses

This is especially sad for me since I invested lots of time and effort, starting in the mid-1990s, building up and researching the Web of Trust, but we just didn't know enough then about how to build usable, secure, robust and scalable collaboration tools.

Thankfully, there are a ton of better tools and approaches out there. My favorite is:

• Keybase for secure user-centric identity / team collaboration / chat / encrypted signed git repos and more.

Answer 3

There are problems with the web of trust but I don't think they are necessarily fatal. I run a keyserver that is part of the keyserver network. Once a week it processes a dump of the database and e-mails me with a list of new keys with e-mail addresses @my employer(a university). Every so often I organise a small scale key signing party. These small scale parties give people more time to check than the large ones you might see at meetings like FOSDEM. Also getting en e-mail address with my employer implies you're either staff or enrolled as a student. A bit more effort than just fake docs. Universities are good for this sort of thing as you get a reasonable amount of turnover among the students.

The downside to this is that you're really just verifying identity not trustworthiness so to make use of a web of trust constructed this way you need a lot of independent paths through the WoT to verify identities of people you have't met.

Answer 4

No, though there are inherent trade-offs in the design.

An UID must be signed with the the private key. You can't publish a key without at least one UID, therefore you need the private key to publish the public one on an OpenPGP compatible keyserver. Someone who controls the private key can add additional UID's and revoke existing ones.

As to for email-verification, it's not desirable and doesn't solve the issue. UID;s are by design compatible with arbitrary data because PGP is not limited to email. You could use a bitmessage address, physical mailing address, facebook account, or website url.

Also e-mail isn't a great channel for verification because it's not public. Keybase is a great project as it gives an easy API to add social media UID's to your PGP key and and a method to verify that other people actually actually used that keypair on that social media site.

So I don't think WoT is broken, it's just barely been utilized. I do agree that it's really hard to do just via email and meet-ups.

WoT is by design non-authoritative which has strengths and weaknesses. A weakness is you can foot in the door more easily without verification, but on the flip side there is no point you can crack open and make everyone trust you.