[linux-elitists] Phil Zimmermann on key exchange

David Shaw dshaw@jabberwocky.com
Wed Nov 14 07:35:40 PST 2001

On Wed, Nov 14, 2001 at 03:53:59AM +0000, M. Drew Streib wrote:
> > Of course, anyone who wants to get anal will still be able to do so. An
> > easy step you can take right now is to put your key fingerprint in an
> > e-mail header. It won't sign the mail, but it will get archived when
> > you post to a list, and give people some basis for trusting that key in
> > the future.
> Or you could sign the messages themselves. ;)
> I'm actually thinking about implementing Phil's email verification scheme,
> btw, although I'm still debating its usefulness. We'll see...

I've thought about something fairly similar to the email verification
scheme.  The trick (as always) is in the details.

The OpenPGP standard defines multiple signature verification levels.
Two levels may apply to this sort of signature: "persona", and
"casual".  Persona says, in effect, "I believe the user ID I am
signing is valid, but the only person who told me this was the user
herself".  I might go so far as to say that even the next level up,
the "casual" certification may be appropriate for this, which says "I
have done minimal checking of this user ID".

The problem is that no current implementation of PGP actually treats
the different signature classes differently.  Basically, a sig is a
sig is a sig.  (I have a patch in for GnuPG that lets it at least make
the different signatures - let me know if you want it).

Since there is currently no way for a user to tell their PGP to
disregard persona signatures if they don't approve of them, it is
important to do this in such a way that does not force those people
who do not feel that email verification is a good idea to use it
against their will.  The trick is to use a separate key for these
signings, and **use that key for no other signings**.

The reason it is important that the key is not used for other
signatures is the reason stated before: there is no (current) way for
the user to accept some signature classes - it's all or none.  This
signing key can then be trusted if the user wants to count these email
signatures, and not trusted if the user wants only personally verified

All that said, the reason I dropped the idea way back when is this:
This system gives some level of assurance that a person with access to
the key has some way to read email sent to the address on the key.
That's a good thing, but is it really necessary?

Compare the two cases where I want to send email to someone whose key
has no signatures, and where they have just this email signature:

* If they have the email signature, I know that the person behind the
  email address has access to the key, so I go ahead and send an
  encrypted message.

* If the key doesn't have the email signature, I don't know if the
  person behind the email address has access to the key, but I don't
  care; If the person behind the email address does not have access
  to the key, they won't be able to read the encrypted message I just
  sent them anyway!

Without something stronger then just checking whether an email address
reaches a person, this is not really a stronger system than just going
ahead and sending encrypted mail without checking.

I agree with Zimmermann that making certification and trust easier to
use is vital if "regular people" are going to use encryption.  "Why
Johnny Can't Encrypt" is a frightening paper.


   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: not available
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20011114/253a6abc/attachment.pgp 

More information about the linux-elitists mailing list