[conspire] CA signed certs, and not CA signed ... PGP/GPG cross-signed? ... Firefox CertificateWatch extension ...

[Rick Moen]

Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):

> Yes, I think PGP/GPG signing SSL/TLS certs (be the certs CA signed or
> self-signed) is an *excellent* idea [...]

Also, alas, possibly a somewhat utopian one.  And here's why I say that:

The Web of Trust (WoT) model exemplified by PGP / gpg works great,
provided participants are motivated and are willing to participate in 
keysignings, so that they have credible trust paths they can use to 
vet people and things they know personally.

You like the WoT model because it works well (for motivated people).  
I like it.  The Debian Project likes it.  Software developers all over
the world like it.

Because we've done some keysignings.

I believe I used to have a standard techie joke about playing 'Six
degrees of Ted T'so' because the Linux technical community is so
interconnected that we all have PGP trust paths going through Ted T'so.

And I used to have Ted as a co-worker, so my T'so Number (analogous to
an Erdős Number or a Bacon Number) is probably 1.

https://en.wikipedia.org/wiki/Erdős_number
https://en.wikipedia.org/wiki/Six_Degrees_of_Kevin_Bacon

By contrast, J. Random User has never heard of it and isn't likely to
even try.  If he/she tries, the guaranteed initial result is total
frustration, because of no usable trust paths.  And this is why the 
alternative PKI model rules the broader non-developer, non-sysadmin
world, even though its implementation (Certificate Authorities) is
rotten to the core.

So, getting to the point, _even_ if we get a pervasive browser plug-in
that makes WoT attestation of SSL certs seamless, most people would get
failure to find a trust path, most of the time.  And so the value
proposition would be non-obvious except to us people with
(metaphorically) low T'so Numbers, i.e., people who actually participate
in keysignings, hence actually have trust paths.


Anyway, there _are_ some schemes for using a semi-seamless WoT model for
Web certs -- including matching browser plug-ins so users don't need to 
manually gpg-check hashes.  I swear I've seen some.  Hold a sec:

http://web.monkeysphere.info/
 
  The Monkeysphere project's goal is to extend OpenPGP's web of trust to
  new areas of the Internet to help us securely identify servers we
  connect to, as well as each other while we work online. The suite of
  Monkeysphere utilities provides a framework to transparently leverage
  the web of trust for authentication of TLS/SSL communications through
  the normal use of tools you are familiar with, such as your web browser
  or secure shell.

Lots of details here:
http://web.monkeysphere.info/FAQ/

I've been totally lame, and have utterly failed to look into, and
experiment with, Monkeysphere Project tools.


Convergence is a less radical, and probably more promising, but still
very clever option that does _not_ abandon PKI entirely, but tries to
tame it:

http://convergence.io/details.html

  Convergence is a secure replacement for the Certificate Authority
  System. Rather than employing a traditionally hard-coded list of
  immutable CAs, Convergence allows you to configure a dynamic set of
  Notaries which use network perspective to validate your communication.

  Convergence allows you to choose who you want to trust, rather than
  having someone else's decision forced on you. You can revise your trust
  decisions at any time, so that you're not locked in to trusting anyone
  for longer than you want.

  Convergence makes it easy for anyone to run their own trust notary.
  Each notary can only make security decisions for the clients that have
  chosen to trust it -- so the security, integrity, or accuracy of a
  notary does not effect those who haven't selected it.

The working assumption behind Convergence is that it's not necessary to 
throw out the PKI _concept_, just the clown car of corrupt, incompetent,
and mafioso-and/or-government-suborned jackassess that are the world's CAs.


I've been talking a good game on my Web pages
(http://linuxmafia.com/~rick/faq/kicking.html#linuxbrowser) about how I
_should_ try Convergence and/or Monkeysphere to pioneer cert attestation
that doesn't suck for years, but I haven't done it.  So, realism
suggests that for the _near_ future at least, I'm not likely to do much 
more than just have a competent self-signed cert, make my Web site use
TLS 1.2 and prevent the use of bad ciphers, make a gpg-signed hash of my
cert available, and continue telling people that the CA system is rotten
to the core and needs to die.

It bothers me that WoT-based alternatives to PKI seem very difficult to
find using Web-searching.  That's on the strength of several minutes'
trying.  I had to give up and consult my Web pages.

That's either a bad sign for the state of mindshare, _or_ it means that
my brain is sufficiently fried by the Martian Death Flu that I'm not
searching intelligently.  (I definitely would not be quick to rule out
the latter.)