Identity with OpenPGP trust model

Let’s say you want to send a confidential message to me, and possibly receive a reply. Through employing asymmetric encryption, you can prevent a third party from reading its contents, even if it can intercept the ciphertext. Through signatures, you can verify the authenticity of the message, and therefore detect any possible tampering. But for all this to work, you need to be able to verify the authenticity of the public keys first. In other words, we need to be able to prevent the aforementioned third party — possibly capable of intercepting your communications and publishing a forged key with my credentials on it — from tricking you into using the wrong key.

This renders key authenticity the fundamental problem of asymmetric cryptography. But before we start discussing how key certification is implemented, we need to cover another fundamental issue — identity. After all, who am I — who is the person you are writing to? Are you writing to a person you’ve met? Or to a specific Gentoo developer? Author of some project? Before you can distinguish my authentic key from a forged key, you need to be able to clearly distinguish me from an impostor.

Forms of identity

Identity via e-mail address

If your primary goal is to communicate with the owner of the particular e-mail address, it seems obvious to associate the identity with the owner of the e-mail address. However, how in reality would you distinguish a ‘rightful owner’ of the e-mail address from a cracker who managed to obtain access to it, or to intercept your network communications and inject forged mails?

The truth is, the best you can certify is that the owner of a particular key is able to read and/or send mails from a particular e-mail address, at a particular point in time. Then, if you can certify the same for a long enough period of time, you may reasonably assume the address is continuously used by the same identity (which may qualify as a legitimate owner or a cracker with a lot of patience).

Of course, all this relies on your trust in mail infrastructure not being compromised.

Identity via personal data

A stronger protection against crackers may be provided by associating the identity with personal data, as confirmed by government-issued documents. In case of OpenPGP, this is just the real name; X.509 certificates also provide fields for street address, phone number, etc.

The use of real names seems to be based on two assumptions: that your real name is reasonable well-known (e.g. it can be established with little risk of being replaced by a third party), and that the attacker does not wish to disclose his own name. Besides that, using real names meets with some additional criticism.

Firstly, requiring one to use his real name may be considered an invasion on privacy. Most notably, some people wish not to disclose or use their real names, and this effectively prevents them from ever being certified.

Secondly, real names are not unique. After all, the naming systems developed from the necessity of distinguishing individuals in comparatively small groups, and they simply don’t scale to the size of the Internet. Therefore, name collisions are entirely possible and we are relying on sheer luck that the attacker wouldn’t happen to have the same name as you do.

Thirdly and most importantly, verifying identity documents is non-trivial and untrained individuals are likely to fall victim of mediocre quality fakes. After all, we’re talking about people who hopefully read some article on verifying a particular kind of document but have no experience recognizing forgery, no specialized hardware (I suppose most of you don’t carry a magnifying glass and a UV light on yourself) and who may lack skills in comparing signatures or photographs (not to mention some people have really old photographs in documents). Some countries don’t even issue any official documentation for document verification in English!

Finally, even besides the point of forged documents, this relies on trust in administration.

Identity via photographs

This one I’m mentioning merely for completeness. OpenPGP keys allow adding a photo as one of your UIDs. However, this is rather rarely used (out of the keys my GnuPG fetched so far, less than 10% have photographs). The concerns are similar as for personal data: it assumes that others are reliably able to know how you look like, and that they are capable of reliably comparing faces.

Online identity

An interesting concept is to use your public online activity to prove your identity — such as websites or social media. This is generally based on cross-referencing multiple resources with cryptographically proven publishing access, and assuming that an attacker would not be able to compromise all of them simultaneously.

A form of this concept is utilized by keybase.io. This service builds trust in user profiles via cryptographically cross-linking your profiles on some external sites and/or your websites. Furthermore, it actively encourages other users to verify those external proofs as well.

This identity model entirely relies on trust in network infrastructure and external sites. The likeliness of it being compromised is reduced by (potentially) relying on multiple independent sites.

Web of Trust model

Most of time, you won’t be able to directly verify the identity of everyone you’d like to communicate with. This creates a necessity of obtaining indirect proof of authenticity, and the model normally used for that purpose in OpenPGP is the Web of Trust. I won’t be getting into the fine details — you can find them e.g. in the GNU Privacy Handbook. For our purposes, it suffices to say that in WoT the authenticity of keys you haven’t verified may be assessed by people whose keys you trust already, or people they know, with a limited level of recursion.

The more key holders you can trust, the more keys you can have verified indirectly and the more likely it is that your future recipient will be in that group. Or that you will be able to get someone from across the world into your WoT by meeting someone residing much closer to yourself. Therefore, you’d naturally want the WoT to grow fast and include more individuals. You’d want to preach OpenPGP onto non-crypto-aware people. However, this comes with inherent danger: can you really trust that they will properly verify the identity of the keys they sign?

I believe this is the most fundamental issue with WoT model: for it to work outside of small specialized circles, it has to include more and more individuals across the world. But this growth inevitable makes it easier for a malicious third party to find people that can be tricked into certifying keys with forged identities.

Conclusion

The fundamental problem in OpenPGP usage is finding the correct key and verifying its authenticity. This becomes especially complex given there is no single clear way of determining one’s identity in the Internet. Normally, OpenPGP uses a combination of real name and e-mail address, optionally combined with a photograph. However, all of them have their weaknesses.

Direct identity verification for all recipients is non-practical, and therefore requires indirect certification solutions. While the WoT model used by OpenPGP attempts to avoid centralized trust specific to PKI, it is not clear whether it’s practically manageable. On one hand, it requires trusting more people in order to improve coverage; on the other, it makes it more vulnerable to fraud.

Given all the above, the trust-via-online-presence concept may be of some interest. Most importantly, it establishes a closer relationship between the identity you actually need and the identity you verify — e.g. you want to mail the person being an open source developer, author of some specific projects rather than arbitrary person with a common enough name. However, this concept is not established broadly yet.

6 thoughts on “Identity with OpenPGP trust model”

  1. Very insightful post, thanks!

    A couple of notes:

    It is possible to implement keybase.io-like identity verification purely in OpenPGP. One such approach (https://tools.ietf.org/html/draft-vb-openpgp-linked-ids-01) has been implemented in OpenKeychain. I did test a different approach using notations (https://github.com/wiktor-k/distributed-ids#distributed-ids).

    If one is interested in verifying keys of people in a particular organization then some of them publish map of people willing to key sign (e.g. https://www.kernel.org/doc/ksmap/ or https://wiki.debian.org/Keysigning/Offers). This is I think better than random key signing party as the person is already listed on official sites so it’s more likely they’re verified somehow.

    Some organizations can deploy authority keys and trust signatures (https://www.linuxfoundation.org/blog/2014/02/pgp-web-of-trust-delegated-trust-and-keyservers/) to automatically manage trusted keys within an organization reducing the burden on users. Trust signatures can be limited to a particular domain so users can indicate they trust the authority key to issue certifications only for their domain (e.g. @example.com).

    > However, this comes with inherent danger: can you really trust that they will properly verify the identity of the keys they sign?

    This can be mitigated a little by using marginal trust only instead of full and using more paths to a key (e.g. via https://pgp.cs.uu.nl). Of course this is more complex and time consuming but it could be solved with a “little bit” of tooling.

    1. Thank you for your comment. My post was in no way meant to be complete, and you’ve certainly managed to bring some interesting points in concise way.

      This can be mitigated a little by using marginal trust only instead of full and using more paths to a key (e.g. via https://pgp.cs.uu.nl). Of course this is more complex and time consuming but it could be solved with a “little bit” of tooling.

      My original post wasn’t assuming full trust. Unless I’m mistaken, this issue is even more profound when using partial trust. After all, you need more people to certify, so there are more intrusion points. I personally believe it’s harder to ‘crack’ 1 individual from a smaller set of trusted people, than N individuals from a much larger set of marginally trusted people.

      1. > I personally believe it’s harder to ‘crack’ 1 individual from a smaller set of trusted people, than N individuals from a much larger set of marginally trusted people.

        Yes, agreed, but that’s assuming you have a trusted person in between you and the key you’d like to verify. That’s the ideal condition and something to strive for.

        I meant the case when you don’t have a trusted person (like a colleague or someone you know in real life), then I think having marginal trust with many random people is better than full trust in one person. But to be honest I don’t have any data to back this up :)

        By the way, thanks for the high quality OpenPGP articles! I find myself recommending them to people that are unsure about some concepts (e.g. expiration).

        1. By default you need 3 signatures from people marked as “Marginal Trust” in GPG to automatically trust a key-uid binding as valid. Of course it’s better than trusting one person. You don’t trust any of them, so it cannot be more secure to put all your trust in a single one of them. However, OpenPGP is not a useful application of WoT. I wish the WoT part of OpenPGP would stop existing so I would not have to talk about awkward conceptsl like “key-uid bindings” anymore. Just give me sha256 fingerprints, nothing else matters.

          1. Except that opens up possibility for anyone in your trusted group to easily pretend to be anybody else.

  2. >However, this comes with inherent danger: can you really trust that they will properly verify the identity of the keys they sign?

    In a real WoT yes, but OpenPGP is not a real WoT: The claims being verified by the WoT (“This is the REAL John Smith”) are nonsense. A real WoT verifies actual tangible claims with a small margin of error: “this message is spam”, “this person is a spammer”, “this content is illegal according to law #3521351515”. WoTs in the context of key verification would not even work for famous people like Linus Tolvards, because outside a small community (compared to the rest of the world), there are tons of people who will not recognize the name, and admit all kinds of keys as “the real Linus Tolvards”. This could maybe be solved by providing a ton of context in a few (or a few hundred) natural languages to explain which Linus Tolvards we’re talking about, but at the end of the day, why are we even trying to get the key for the real Linus? Because a bunch of people told you he exists and matters? The topic of OpenPGP identity and WoT has been covered in its entirety at: http://longpoke.github.io/f37c5de221cb361db07f046b31047f329ddb2ca2fe3ab5b674c858a6686c5151.html

    The replacement for the web will link to everything by public key and the concept of identity wont matter because to read content by a person, you’ll already have his key. Famous people will be famous because their key is mentioned a lot. And a simple petname system on top of this fixes any “UX” concerns.

Leave a Reply

Your email address will not be published.