[liberationtech] Interesting things in keyservers

Ximin Luo infinity0 at gmx.com
Sat Jul 20 09:24:34 PDT 2013 

On 20/07/13 15:05, micah wrote:
> Finally, there seems to be some amazing misconceptions about keyservers,
> keys and the web of trust. In particular this
> http://cryptome.org/2013/07/mining-pgp-keyservers.htm circulated
> recently and it pained me to see because it suggested various wreckless
> conclusions that were dangerously off the mark[0] (and used pgp.mit.edu,
> hah). While it is true that we've jokingly called the OpenPGP web of
> trust "the original social network" because of the exposed social
> relational graphing that can be done by querying keyservers, and it is
> for this reason that many activists I know do not want to have
> signatures uploaded to keyservers (and instead use the bulky local-only
> signature work-around)...
> 
> ... but for some reason people seem to think that if it is on a
> keyserver, is true, or it means something that it doesn't. People don't
> realize critical things, such as the fact that I can create a key with
> the UID Nadim Kobeissi and upload it to the keyservers[1]. That doesn't
> mean that is the real Nadim's key (this is what exchanging key
> fingerprints and doing certifications is for, so you can know, with a
> certain degree of certainty, that this person is the person who controls
> that secret key material). 
> 
> Or people think that because I signed your key and that signature is on
> the keyserver that indicates: I trust you; we met in person at that
> date; we know each other; we are involved in a criminal conspiracy with
> each other; or many other wrong assumptions about what that
> certification means. I can sign Edward Snowden's key and send that to
> the keyservers[1]. Hell, I can sign Snowden's key with my fake Nadim
> Kobeissi key[1] and then send it to the keyservers. Does that mean that
> Nadim and Snowden have met in person?! No, it does not at all.
> 

+9001

Related anecdote: http://lists.gnupg.org/pipermail/gnupg-devel/2013-July/027793.html

I was thinking of writing a script to create a shadow copy of the current PGP WoT, i.e. with fake keys with signatures that match the edges in the real WoT. Then uploading all of these public keys to keyservers, heheheh. Some may consider this disruptive but IMO would hammer home in the idea that keyserver info is not trusted. (Of course people could still incorrectly ask over insecure IM "which key is actually yours", or make the same "trust" mistake as in the thread I just linked; but at least it would make it clear that keyservers are not Sources Of Truth.)

A less nefarious version is to have each key's comment set to "NSA INTERCEPTION KEY" or obvious fakeness indicator.

X

More information about the liberationtech mailing list