ciphergoth | PKI deserves to die

In response http://www2.cio.com/research/security/edit/a05232002.html

From: Carl Ellison <cme@acm.org>
Subject: Re: PKI: Only Mostly Dead

Scott,

as far as I'm concerned PKI is not only dying, it deserves to die
much more quickly. That's because when it works, it still doesn't
work.

See the two papers to which I contributed at last month's PKI
Research Workshop http://www.cs.dartmouth.edu/~pki02/

Look especially at what we call the John Wilson problem. In a
nutshell, if you bind a name to a key, even if you do that always
accurately and even if your certificates interoperate with my
software, you have done nothing for me if there are more than about
1000 certified people in the world. That's because there are too
many John Wilsons. I can't tell them apart by name, when you lump
them all together into one big pool (the pool of all people the CA
certifies -- e.g., a big one like VeriSign -- or a little one like
Intel Corporation with only 70,000 and 8 John Wilsons). If I can't
tell them apart (and people can't -- for which we have definite
proof), then I am forced to make a guess as to which one is the right
one -- if the right one is represented at all -- and when I'm handed
a certificate saying that this S/MIME message or HTTPS page came from
John Wilson, I'm not given the list of all John Wilsons, so I don't
even get to compare them to see which one looks like the closest
match.

PKI deserves to die not because of vendor greed, although there is
plenty of that, but because the original idea was wrong. When you
bind a person's name to a public key you have not identified the key
in a way that is useful to me. That's because if I know the name of
the keyholder, I still don't know who the keyholder is.

- Carl

P.S. I strongly recommend your reading those papers in the preprints
available at the PKI Workshop web site.
+------------------------------------------------------------------+
|Carl M. Ellison         cme@acm.org     http://world.std.com/~cme |
|    PGP: 08FF BA05 599B 49D2  23C6 6FFD 36BA D342                 |
+--Officer, officer, arrest that man. He's whistling a dirty song.-+

Flat | Top-Level Comments Only

From:

wechsler.livejournal.com

If you're posting this in response to the previous PGP comments, you know that PGP's public keys *do* contain more than a name; they contain an (at least one) email address too, which are far more unique.

From:

ciphergoth.livejournal.com

Sure, but does that help? A very effective way to solve the "uniqueness problem" would be to append a sufficiently long random string to the name before signing it, but would that help in practice? When does attesting to my email address tell the person using the public key what they need to know?

From:

wechsler.livejournal.com

What do you think they "need to know"? Your address/phone number? Your appearance? You may as well ask how I know you're you when I meet you.

I'm sure I'm missing something here, I just don't know what.

From:

ciphergoth.livejournal.com

Appearance is good - the extensions to PGP to allow you to sign a photograph strike me as the most useful sort of PKI that I've heard of. If you've met me, you want to know that the person you met uses that key, which you can do using the fingerprints on my personal card. Otherwise... well, it depends why you're emailing me.

You may as well ask how I know you're you when I meet you.

That's not exactly a meaningful question; I'm me by definition when you meet me. The question is rather whether you trust me to know the things you're emailing me about, which is something you establish by non-cryptographic means.

Sure, if I was a secret agent, I could mount a sort of "man-in-the-middle" attack by finding the sort of person I think you would trust and modelling myself on them before meeting you. But there's no cryptographic defence against such an attack, and it's very expensive to mount.

From:

wechsler.livejournal.com

Appearance is good
GPG 1.07 supports the image extensions too. My key at http://www.fromtheshadows.com/mich/gpg3D942CC8_px.asc has the pic in it.

But I "know" many people online I've never seen or met. I know them by their socio-ethical positions, their hobbies, interests, phrase structure - intangibles that can be hard to quantify. But once I've conversed with them for a while, the one tangible identifier I'll tend to know is their email address. Yes, they could use a fake one, but any exchange of mails creates a "challenge-response" sequence that proves that this person is the entity (or an entity) being this email address.

My question was somewhat whimsical but not entirely without meaning, perhaps it would have been clearer to say "when I meet someone who appears to be you"; I know *you* well enough that your appearance has registered in my memory well enough for me to compare the image I see at that point (under whatever gothery applies) to that stored with a high degree of confidence. But there are many people I'd half-recognise, and possibly use voice and speech patterns to confirm this recognition.

People who've last met me 3 years ago (hi

cybermuppet) don't tend to recognise me by any of these biometric means, so there tends to be a conversational challenge-response to "prove I'm me".

I'm not quite sure where I was going with this, I think I was saying "neither email address nor appearance are the same as 'identity'". I really need more inspiring work and less stress to keep my mind running at a higher level.

From:

ciphergoth.livejournal.com

That's why my PGP key fingerprint is in all the emails and newsgroup posts I make. Cut out the middleman - email addresses can too easily be whisked from your control (eg wechsler@ukcycling.info if that's not too sore a point) and bind directly to "the person making these posts" as powerfully as possible.

From:

wechsler.livejournal.com

Ok, this is all making sense... you're agreeing that identity can be established by recurrent email/posting, and saying that having not just the email address but the fingerprint as an element of that identity ties the key in far more tightly? If this is what Ellison is advocating, then I can see his point on this count. Or does he mean that your fingerprint should *be* your address?

Time to update my sig, anyway.

If, as is then possible with G/PG/P, you *can* tie a key to an identity (even if it takes time) - and have a comparetively open and interoperable standard, I think that the blanket statement 'PKI needs to die' is incorrect. It would seem that PKI *can* work, with a little help (by people establishing sufficiently unique and non-copiable identities as a factor of the key).

Partial, vendor-driven PKI solutions with repeated/copyable identities, are evidently a very different matter.

From:

giolla.livejournal.com

Given how easy it is to get a photo of someone, either from a web site or by taking one, and allowing that it's easy to "whisk" away control of an e-mail address. What exactly does adding a picture to the key/certificate/id file achieve?
If I'd whisked away control of one of your e-mail addresses I could easily add a photo to the signed block and thus potentially make people more likely to think I was you than you were.
IYSWIM

From:

ciphergoth.livejournal.com

I'm not thinking of self-signed photos, which as you say don't do much to authenticate the key. I'm thinking of photos signed by trusted parties, PKI style (except that the CA is some trusted person I know rather than Verisign). Of course people can look very similar to each other, but it goes a lot further towards identifying someone than a name.

For one thing, you can't arbitrarily change your appearance, whereas I could if I chose change my name to Wechsler or Giolla Decair and then the only way in which your claim to the name would trump mine would be priority, which doesn't work for John Wilson.

From:

ukfetish.livejournal.com

> Of course people can look very similar to each other

Hrm, yes. So far today, while following this discussion thread, I've had three people walk past me at work, stop, and ask me "Is that you?" (referring to your journal photo) :)

Regards,
Denny

PS: Here's a larger version of the photo I use here (http://www.concretecow.com/denny/graphics/denny.gif) and another pic of me (http://www.concretecow.com/denny/graphics/denny2000.jpg). I don't see the resemblance myself, but then I'm used to associating with people who have long dark hair and tend to wear black, I don't regard those as useful identifying characteristics :)

From:

wildeabandon.livejournal.com

Hrm, yes. So far today, while following this discussion thread, I've had three people walk past me at work, stop, and ask me "Is that you?" (referring to your journal photo) :)

That's weird. Other than both being cute with fantastic hair, I can't see much resemblence.
*confusedelise*

From:

ciphergoth.livejournal.com

That's the sort of resemblance I can handle! ta!

From:

ukfetish.livejournal.com

I think it was 'Duncan McLeod of the clan McLeod' who said "Chicks dig the hair" :)

~D.

PS: *blush*

From:

giolla.livejournal.com

For photo's who would count as a trusted third party, and how much do you think
that would cost per key? If you're thinking of a PGP style web of trust then
it'll fall over pretty quickly either by deliberate misuse or just because
people are crap and will say they trust things they shouldn't.

Photo's aren't much use for idenitfying people you've never met, and are of
even less use for identifying machines.

As far as trusting the "key" goes why would I want to? A key that isn't tied
to some other information isn't the slightest bit of good. I need to know that
a given key is associated with the machine I'm connecting to, the e-mail
address I'm communicating with, or the user I'm authenticating. So unless I
associate thet key with some other data it's useless.

If you give me a key and say it's your key, then yes I can trust it directly
and likewise for your server. However I'd want to make a note of that, and
would then might want to pass on that note when someone who asks me for your
key. They'd of course then have to trust me when I say ciphergoth gave me
this key and it's really his. They'd probably make a note of it in fact. Of
course having been given the key by me with or without an attached note, they
should verify the finger print directly with you in the same way they should
now. If I was using the key to exchange e-mails with you I'd probably note
your e-mail address against it and oops back to square one.

To be useful you need a fixed relationship between the key/finger print and
some pointer to a unique idenitifier, and unless I've met you and until image
recognition software is a lot better a photo isn't it.

Also I'd have to refute your statement about the chances of a fingerprint/key
being unique, that is only true for a given implementation of the PK part of
PKI, but if you get the I part right the uniqueness or otherwise of the keys
themselves really doesn't matter as much, as in most infrastructures
the signed data normally contains several bits of unique data.

The problem with PKI isn't the cryptography, it's the infrastructure part.
Maintaining trust, distributing keys, and revoking them if the data they are
associated with changes. Doing this within limited communities, such as
within a company/* or a community small enough that photo's are viable */
is fairly easy, but to date no one has made it scale well. Changing which
bit of data you trust doesn't move you any closer to resolving the problem

From:

ciphergoth.livejournal.com

Photos are useful when I want to exchange encrypted email with my friends. If I have your signed key, and you sign a certificate binding a photo to

ruis's key, I can have the greatest confidence that the key belongs to the person I want it to. They're not so useful in a commercial setting.

Why does it make more sense to trust a domain or an email address than to trust a key? They are more fickle.

Also I'd have to refute your statement about the chances of a fingerprint/key being unique, that is only true for a given implementation of the PK part of PKI

Er, eh? If the probability that two parties might have the same public key is non-negligible, the crypto is weak. If the probability that two parties with distinct public keys might have the same key fingerprint is non-negligible, the crypto is weak. Only broken systems can have fingerprint collisions. I'm somewhat familiar with all the PK signature algorithms in widespread use, but what I'm saying here is provably true of all PK systems and all hash functions. If you really want to refute this point, please at least provide a counterexample.

From:

ciphergoth.livejournal.com

GPG 1.07 supports the image extensions too.

Cool! Sadly Debian "potato" only comes with 1.0.6; now I have to decide whether to force an upgrade...

In some ways I think we're saying the same thing. People advertise PKI as a way of verifying someone's identity, but all it gives you is a way of verifying name and email address, neither of which are good for the purpose. Consider the problems involved in binding the pair ("Wechsler", wechsler@ukcycling.info) to a key; one is not your legal name, and the other is no longer your email address.

From:

djm4

Ah. I've never thought of PKI as a means of verifying identity in and of itself - more a means of continuing to trust an already establised identity, or of being resonably sure that I'm talking to person X and only person X, even if I don't otherwise know who person X is.

So wechsler@ukcycling.info is no longer Wechsler. Well, that's OK, because the person who now owns that doesn't have Wechsler's private key, so suddenly e-mails coming from that address are unsigned, or signed with a different key, either of which might cause me to go 'Ah - I'm no longer sure that's the Wechsler I know'. Wechsler's private key is the associated with an e-mail address that's no longer valid for him, but as soon as he's told me what his new e-mail asddress is I can update my records. I still trust his public key itself, and can verify documents signed with it and encrypt documents that only he can read (even if I have to wait to find out where to send them).

From:

ciphergoth.livejournal.com

Right, so what you're saying is, you trust a key directly, not an email address. That's Ellison's position. If you trust the key to be the Wechsler you know, you don't need any certificates to verify it. If you don't, a certificate binding it to an email address won't help you.

From:

djm4

It helps me establish who the key is claiming to belong to, and who says so. In a lot of cases, this may be all the level of trust I need. If it's not, at least I have clues about where to look next.

If this agrees with Ellison, that's great, but the portion of his argument that you quoted looked like a big fat straw man to me. He says that one especially brain-dead method of identifying people uniquely - 'Forename Surname' - doesn't work. Well, who'd have thunk it, eh?

I don't see why this means that the whole concept of PKI is flawed. All it means is that people are trying to use it to do things it is not designed to do.

From:

djm4

Sure, but does that help?

Yes, I think.

An e-mail address is unique (accepting that some e-mail addresses go to multiple people, and others are attached to a job/position rathe than a person). It's certainly easy for me to get an e-mail address that I and no one else use.

It's also a precise sequence of ASCII characters, which means that it's easy to match (as opposed to, say, biometrics, which may vary).

It's true that I don't know that your e-mail address is you, but that's not the problem talked about. The 'John Wilson' problem is more or less solved, because not only will all John Wilsons have different e-mail addresses, but I've got at least a fighting chance of knowing whether I've got the right one based on the e-mail address.

At the very least, in the e-mail address I have an unambiguous key with which to search other sources of information that may be useful in identifying and verifying the person.

From:

ciphergoth.livejournal.com

Ellison advocates using public key fingerprints directly for the purpose you assign to email addresses, which entirely eliminates the potential weak link in security that PKI is supposed to address.

From:

djm4

They work too, but are less instantly recognisable for people I know. This may or may not be an issue, depending on what you're trying to use PKI for.

Are key fingerprints guaranteed unique, though (genuine question - I don't know enough about PGP to know)? If not, a key fingerprint/e-mail combination would be OK, wouldn't it?

From:

ciphergoth.livejournal.com

Are key fingerprints guaranteed unique?

Short answer: yes, effectively as unique as public keys. The difficulty of generating a collision by the most effective attack known is around 2^80 (for modern 160-bit fingerprints anyway), which is beyond anyone's reach at the moment. The difficulty of finding another key that has the same fingerprint as a specific key is believed to be 2^160.

From:

djm4

That's not the point. I'm not talking about deliberately attempting to create a key with the same fingerprint as another one, I'm talking about it happening by accident. If it can happen by accident (no matter how small the chances are), then a public key fingerprint is not suitable as a unique index in the way that an e-mail address - guaranteed to be unique by the way e-mail addresses are constructed - is suitable.

From:

ciphergoth.livejournal.com

I understand why you might feel this way, but accepting a negligible probability of failure is pretty much an inevitable part of using cryptography at all. You just get used to thinking of "fails with negligible probability" as the same as "flawless".

From:

djm4

...a negligible probability of failure is pretty much an inevitable part of using cryptography at all.

Well, yes, I get that, but it doesn't mean that I have to accept an unnecessary probability of failure.

There are several ways of generating a unique index that are flawless (or, at any rate, flawless as long as the system works, which I realise is a pretty big 'if', but it's a different question). E-mail addresses are unique. An auto-incremented integer is unique. Network card Mac addresses are unique. None of these systems have to accept 'well, theoretically the system could generate two or more identical IDs, but it's highly unlikely' - if they're working properly, they can't generate identical IDs.

So why should I accept even a negligible probability of failure when I don't have to?

From:

ukfetish.livejournal.com

> Network card Mac addresses are unique.

I seem to remember reading somewhere that a few manufacturers had screwed this one up, using the same pool of numbers as each other for quite a while for some reason. It didn't show up for a while because companies tend to buy cards all from one manufacturer...

Regards,
Denny

From:

ciphergoth.livejournal.com

if they're working properly

I think you just destroyed your own argument. The practical probability of collison so vastly swamps the theoretical one in both systems, that adding complexity to the system to avoid a negligible probability of failure is the Wrong Way to Go.

There are for example Ethernet cards with colliding MAC addresses, because the manufacturers made mistakes.

Really, preferring a system with zero probability of failure over one with a negligible probability will take you the wrong way in security terms.

From:

djm4

Point taken, but I'm still not convinced. What's wrong with using a key fingerprint coupled to (say) an e-mail address?

From:

djm4

Just to reply to my own point - I think that one thing that bothers me is that it's perfectly valid for two public keys to have the same fingerprint. The only thing it screws up is the unique index in a database that has nothing directly to do with PGP itself. There's no immediate requirement for one or other person using the keys to change.

Whereas if two people get accidentally allocated the same e-mail address, then that actually buggers up mail delivery on the Internet a bit. E-mail delivery for one or both people will, in principle, be broken until one or other of them gives up the e-mail address.

I don't like the idea of creating a system that by implication invalidates something that would have been valid before (two keys with identical fingerprints). I'd far rather base it around something that's aleady invalid (fingerprint and e-mail pairs that are identical).

Did that make any sort of sense?

From:

ciphergoth.livejournal.com

I'll have to explain this to you in the pub sometime. I see why you feel this way, but you're not thinking like a cryptographer...

From:

djm4

Well, no, I wouldn't be, would I? ;-)

From:

ukfetish.livejournal.com

How much does one have to drink before one starts to think like a cryptographer then? ;)

~D.

From:

ukfetish.livejournal.com

I think it might help here to expand 2^80 so that people can see how it relates to the number of people who might be creating these fingerprints. If 2^80 is significantly bigger than the total pool of fingerprint makers then using 'negligible chance of failure' and 'flawless' in the same context would make sense to me. If 2^80 is within an order of magnitude of the number of possible fingerprint makers, then it's not what I'd call a safe risk to take...

Does that make sense? I'm speaking from a position of complete ignorance (but considerable interest) here :)

Okay, I just worked out what 2^80 is :) I'd say 1,208,925,819,614,629,174,706,176 is a fair bit larger than the total pool of email users for the foreseeable future. I'm with the 'negligible chance' vote here *laugh*

Regards,
Denny

From:

djm4

Thank you, I do know how small a number the reciprocal of 2^80 is. I'm still stumped as to why I should accept even this probability when I can reduce it to a theoretical probability of zero with very little effort.

From:

ukfetish.livejournal.com

> Thank you, I do know how small a number the reciprocal of 2^80 is.

Good for you - I didn't.

Therefore I worked it out and posted it for the benefit of any slow types like myself who are very interested and trying hard to follow the conversation. I find it easier to gain an emotional appreciation of the expanded form of the number than I do to gain any feel for the exponent form (or whatever that notation is called).

I'm with you in that I don't understand what's wrong with using an email address as the unique identifier, but I guess I'll just keep reading the arguments until the light dawns on me (possibly).

Regards,
Denny

From:

ciphergoth.livejournal.com

It's better than that. If A is the number of identifiers in use, and B is the size of the identifier pool, the probability of collision is on the order of A^2/2B (where A and B are large, and A^2 << B). So if you assume that everyone on the planet (6E9) has a million public keys, then the probability of collision somewhere in that entire keyspace is under 1 in 40 million billion.

From:

giolla.livejournal.com

I'd disagree with that, but then I've never worked on a PKI project which bound a key to a name rather than either an UID, e-mail address or FQDN.

That said PKI within a given company/community is a lot more useful than a general wide spread PKI /* at least as far as any I've seen implemented to date */

From:

ciphergoth.livejournal.com

PKI will be useful when I can explicitly bind to public keys the information someone who plans to use them might need to know in order to trust them. That's not a UID, e-mail address or FQDN. See my response to

wechsler.

From:

giolla.livejournal.com

Odd, 'cos when I use PKI those are the 3 things I generally want to know:
If I'm connecting to a server I want to know that it is the right server, so the certicate needs to show me that.
If I want to send/recieve encrypted mail I want to know that it's from/to a specific e-mail address /* The identity behind that I'll either not care about or have verified by other means */

And within a company/network to identify what a given person is allowed to do I need either a UID or an e-mail address from which I'll extract the UID.

What information would you have bound to a key that would be more useful?

All 3 of these attributes, possibly along with an LDAP DN that I could look up else where, solve the uniqueness problem in an easy to understand way.

From: (Anonymous)

The information I would bind to a key that is more useful than a domain name or e-mail address or common name is the name I use to identify the entity -- the keyholder's SDSI name. That is an identifier that means something to me. The others are all subject to the John Wilson problem.

Of course, the SDSI name can also be confused. This is because of the way we are built to use names, but I don't have time to go into that in detail here. Needless to say, this whole topic needs a lot of work.

Using pictures instead of names, as was suggested in another thread, might be better, but I do know of people who look so much alike that even that is subject to confusion.

- Carl