About PGP Signing a File.

[Jeffrey F. Bloss]

Matthew Flaschen wrote:

> >>> It's entirely possible that the guy's keys were stolen in the
> >>> intervening night.
> >> Also true, but that's what revocation certificates
> >> (http://www.pgp.net/pgpnet/pgp-faq/pgp-faq-key-revocation.html) are
> >> for. Constant vigilance.
> > 
> > If your keys have been compromised a revocation certificate is
> > mostly useless.
> 
> Eh?  An attacker can sometimes create a false revocation certificate,
> but that doesn't stop you from creating a real one.  It's true that it

There's no "can sometimes" about it. If your keys are compromised
in this context an attacker can create revocation certificates all day
long. And neither the valid nor the invalid revocation certificate
carries with it any mechanism at all to make a determination. That's
the whole point.

Revocation certificates are very useful as tools to deal with
inadvertently destroyed or unusable keys where physical security is a
known quantity, not for identifying compromised keys. The only way to
do that is to reestablish a credible secure presence and disclaim the
old one. Anything less is quite literally using a known broken tool to
validate something it's not generally designed to validate to begin
with. And that's just silly no matter which way you slice it. 

> won't propagate perfectly over automated systems, but you can also use
> the same out-of-band communications you should have used to establish
> your identity.

Out of band has nothing at all to do with this. Yes it's a valid way
to establish some level of personal credibility, but that credibility
doesn't scale to digital certificates at all like you seem to believe
it does. Even knowing someone all your life and watching them generate
a key in person right after the blood tests is meaningless once you
leave the room, without a considerable amount of investment that has
nothing at all to do with PGP. Worse than meaningless in fact, because
you carry with you a high level of trust regarding that key and the
process you're leaning on to support that trust has absolutely no
mechanism for supporting anything like it at all.

> 
>  In fact a nefariously created revocation certificate is one
> > potential attack vector. Imagine the fun you'd have trying to
> > reestablish a secure communication channel starting from scratch,
> > when someone has effectively demolished the mechanism you were
> > using to authenticate yourself. :(
> 
> That's true, but a totally separate issue.

No, it's *the* issue. There's any number of ways this sort of digital
signature scheme can be trivially exploited or simply fail under its
own weight. A "DoS" attack perpetrated by forged/bogus revocation
certificates is just one of the inherent weaknesses that make PGP
signatures so unsuitable for proof of authorship that most
experts in the field people consider them utterly useless.

PGP is nearly ideal for keeping data out of the hands of those who
don't hold keys, and guaranteeing data hasn't been altered. Not for
providing authenticity or proving authorship. 

> 
> > Yet another reason PGP should never be used for proof of identity...
> 
> No, you establish your identity (i.e. tie a real-world identity to a
> given key) separately (in person), then use PGP to show that key is
> the source of a message.

As I've stated quite plainly several times already, there are ways to
help give digital certificates the sort of credibility far to many
people assign to them as a default. They're generally either
unmanageable to the point of being ludicrous for most laypersons needs
or fraught with their own perils. Regardless of that, verifying someones
identity at the time of key exchange is such a small part of any of it
that it's almost irrelevant. The verification process itself is
exploitable, and it offers absolutely *zero* forward security. So
verification itself requires a high degree of complexity to be
reliable, and evaporates when you blink.

> 
> All security mechanisms are vulnerable if you lose the secret.  So,
> don't do that then.  PGP is not unique, and is better than most
> because you're not supposed to share a secret with anyone (unlike
> e.g. passwords).

Irrelevant. What's "suppose" to happen, what "can happen", and whether
or not some protocol or mechanism addresses what happens in reality are
completely unrelated. The bottom line fact is that PGP/GnuPG do so
little to verify a key holder's identity that if you want any
reasonable level of trust you have to look elsewhere. Plain and simple.

Note: GnuPG2 with its evolving smart card support is *one* direction
that's being explored to address these very real, and developer
acknowledged weaknesses. If you assume that a certain authentication
token can't be duplicated and is issued under tightly controlled
circumstances then you *do* begin to add some amount of plausible
reliability that a signer is an identifiable author. But even this is
still in it's infant stages and not anywhere near ready to be trusted
outside the realm of a "community laboratory", if you will.

Once again, there simply is no reliable method of proving "digital
identity" currently available. It's been a problem for decades that's
not much closer to a solution now than it was when the issue was first
raised. To be blunt about it, what you believe in or trust, and even
what may or may not be legally binding, are meaningless. There's always
the underlying mathematics to contend with, and those numbers just
don't add up on any modern deterministic computing device. Sorry. ;) 

-- 
     _?_      Outside of a dog, a book is a man's best friend.
    (o o)         Inside of a dog, it's too dark to read.
-oOO-(_)--OOo------------------------------[ Groucho Marx ]---
                    http://wrench.homelinux.net/~jeff/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070213/563e3c7e/attachment.sig>