Complementing the Web of Trust with AffirmationsComplementing the Web of Trust with Affirmations

Introduction

In asymmetric cryptography [DH76], the security of a communication protocol relies equally on its confidentiality and authentication properties. To establish a secure channel of communication, the receiving party generates a pair of public and private keys. The public key is published, and can be used to encrypt data in a way that can only be decrypted by a party with access to the related private key. The weak point of this procedure lies in the means of obtaining an intended recipient’s public key. If an adversary can substitute the key with one of his own during retrieval, he will be able to perform a Man-In-The-Middle attack on any communication intended for the substituted public key. This negates the confidentiality properties of any communication which uses a public key that was not obtained either through a trusted channel, or with an additional mechanism for authentication, such as a Public-Key Infrastructure (PKI).

The general problem tackled by a PKI is establishing a chain of trust between two com- munication partners. One key distinctive feature of a PKI is its precise definition of “trust anchors”. A trust anchor is any type of entity deemed ultimately trustworthy in the model, either established by the model itself or the user. A PKI’s particular notion of trust anchors directly affects the granularity and complexity of trust decisions required from the user or (if applicable) maintainers in a given PKI.

For secure communication via E-Mail, there are two established protocols featuring different approaches in this regard. The Secure/Multipurpose Internet Mail Extensions (S/MIME, 1RFC 2450 ) standard relies on certificate authorities (CAs) as trust anchors for authentication, leaving the list of trusted CAs as sole trust decision, which is usually delegated entirely to the operating system or software distribution maintainer. In contrast, the OpenPGP standard 2(RFC 4880 ) establishes authentication between two users in a decentralized manner via a path of intermediate trusted users. The precise definition of trust anchors in this model is left up to the user, the established standard being official identification documents of the owner of a keyring.

Linked Identities

An alternative and complementary approach for establishing authentication between OpenPGP keyrings is based on Linked Identities. An affirmation is a verifiable mutual relation between a keyring and an arbitrary resource on the web, meant to support users in the decision of whether a keyring is genuine or not. An affirmation is not necessarily grounded in a chain of trust, but rather represents an assertion that the owner of a keyring has control over the related resource the point in time when the certification is mode, where the precise definition of “control” varies by resource type.

Prime examples of suitable resources are DNS zones, or accounts on social networks. For DNS zones, the user would prove their control through creation of a TXT record, which can 3in turn be authenticated by means of DNSSEC (RFC2535 ). As an instance of a social network affirmation, control over a Twitter account can be proven with a tweet.

Compared to the WoT where names of persons as certified by common proof of identity are the only established type of entity for whom a certification can be issued, Linked Identities expand this to any kind of online resource, most notably profiles on social networks. These can in fact provide a more precise representation of an intended recipient in cases where the communicating parties only know each other by way of those profiles rather than in person. For instance, a user who writes an encrypted message to the owner of an account on 5Github usually intends to send the message to the entity responsible for the commits and other contributions associated with that account, with no actual connection to the name of the entity behind the account.

As a further advantage, decisions based on Linked Identities can be made ad hoc for candidate keys of intended recipients, in contrast to the WoT where certifications have to be made ahead of time for all potential recipients or trusted entities. Consequently, the reach of a keyring is established directly by the owner through connections with resources he has control over, not indirectly by being subject to actions (i.e. certifications) of others. Effectively, the responsibility for building a trustworthy keyring is placed back with its owner, rather than spread over a decentralized network. There is also less need to publish (or even certify) the affirma- tions a user decides to trust, although this is still possible, for example for synchronization purposes.

Task

The task of this thesis consists of planning out, implementing and evaluating a standard for Linked Identities as described before as an extension to the OpenPGP standard (RFC 4880). In preparation, a thorough comparison and evaluation of different trust anchors and paths in PKIs should be performed to better establish the concept and comparative qualities of Linked Identities.