Building a Transparent Keyserver (opens in new tab)

(words.filippo.io)

80 pointsnoident4mo ago26 comments

26 comments

agwa4mo ago

There are a couple things missing from this:

1. The monitoring client does not ensure that the checkpoint was created recently, so a malicious log can conceal malicious entries from monitors by serving an old checkpoint.

2. Though the age keyserver policy is not configured this way, the post suggests you could create a policy that requires only a minority of witnesses (e.g. 3 of 10) to cosign a checkpoint. If you do this, then monitors have to get checkpoints that are cosigned by at least 8 of the 10 witnesses. Otherwise, a malicious log could present one view to relying parties that is cosigned by one set of witnesses, and a different view to monitors that is cosigned by a different set of witnesses. There is currently no mechanism specified for monitors to get these extra cosignatures, so if you go with a minority policy you'll need to invent your own stuff in order for witnessing to actually accomplish anything.

FiloSottile4mo ago

Fixed (1) in https://github.com/FiloSottile/torchwood/commit/8b61ef967, thank you!

I'll add a note to the part of the article that mentions non-majority policies.

Thom20004mo ago

I wonder if they think of a deeper integration of this into the age binary. Currently the invocation looks extremely ugly:

    age -r $(go run filippo.io/torchwood/cmd/age-keylookup@main joe@example.com)

akerl_4mo ago

I assume once it's stabilized you'd swap the `go run` for just installing and using a binary, similar to what you're already doing with age.

FiloSottile4mo ago

Honestly not sure why I didn't do that once the tool had stabilized.

Switched to

    go install filippo.io/torchwood/cmd/age-keylookup@main
    age -r $(age-keylookup alice@example.com)

age is designed to be composable and very stable, and this shell combination works well enough, so it's unlikely we'll build it straight into age(1).

Imustaskforhelp4mo ago

Offtopic but I really appreciate golang and so I am always on the lookout of modern alternatives and I found age and I found it to be brilliant for what its worth

But I was discussing it with some techies once and someone mentioned to me that it had less entropy (I think they mentioned 256 bits of entropy) whereas they wanted 512 bits of entropy which pgp supported

I can be wrong about what exactly they talked about since it was long time ago so pardon me if thats the case, but are there any "issues" that you know about in age?

Another thing regarding the transparent servers is that what really happens if the servers go down, do you have any thoughts of having fediverse-alike capabilities perhaps? And also are there any issues/limitations of the transparent keyserver that you wish to discuss

Also your work on age has been phenomenal so thank you for creating a tool like age!

1 more reply

notyourancilla4mo ago

> The author pronounces it [aɡe̞] with a hard g, like GIF, and is always spelled lowercase.

Of all the words we could've used to explain how to pronounce something

dctoedt4mo ago

> [GIF has a hard G]

Glad I preserved a tweet that commented on a subheadline at The Verge from when the creator of the GIF died:

Subheadline from The Verge: "It's pronounced 'jif'"

Tweet: "I guess he's with jod now"

https://toedtclassnotes.site44.com/#orgdf3fc45

FiloSottile4mo ago

>:)

tptacek4mo ago

It's pronounced "aggie".

miki1232114mo ago

As a monitor, how do you differentiate between the operator removing a poisoned key versus them adding a malicious key and then trying to hide that fact?

FiloSottile4mo ago

You don’t, but remember you monitor your own keys: if you know you didn’t upload a poisoned key and the log refuses to serve a key preimage for your email, you’ve caught it misbehaving.

sublimefire4mo ago

Dunno, IMO you need to know the bits of what operator is running to fully trust the third party, eg run in an enclave and share attestation evidence and the source code. Otherwise, operator can just mimic the appearance of the log.

FiloSottile4mo ago

No, the point of the Merkle tree inclusion proofs and of the witness cosignatures is precisely that the operator can't show a different view of the log to different parties.

noidentOP4mo ago

Filippo Valsorda discusses his server for storing age keys

xeonmc4mo ago

At first glance I misread this as "stone age keys" and thought it was a dig at gpg

upofadown4mo ago

The good old SKS network achieves most or all of the advantages of key transparency in a simpler way by being append-only. An attacker could downgrade your PGP identity on one server but the rest would have the newest version you uploaded to the network.

There was a theory floating around back in 2018 that the append-only nature of the SKS network makes it effectively illegal due to the GDPR "right to erasure" but nothing came of that and the SKS network is still alive:

* https://spider.pgpkeys.eu/

FiloSottile4mo ago

The SKS network is append-only in aspiration. There is nothing like a Merkle tree stopping a server in the pool (or a MitM) from serving a fake key to a client. The whole point of tlogs is holding systems like that accountable. Also, the section on VRFs of the article addresses precisely the user removal issue.

upofadown4mo ago

A single SKS server can not serve a fake key, only a valid key that existed in the past. This might be done to maliciously unrevoke a key. The normal PGP key integrity prevents straight up forgeries.

j / k navigate · click thread line to collapse

26 comments

agwa4mo ago

There are a couple things missing from this:

1. The monitoring client does not ensure that the checkpoint was created recently, so a malicious log can conceal malicious entries from monitors by serving an old checkpoint.

FiloSottile4mo ago

Fixed (1) in https://github.com/FiloSottile/torchwood/commit/8b61ef967, thank you!

I'll add a note to the part of the article that mentions non-majority policies.

Thom20004mo ago

I wonder if they think of a deeper integration of this into the age binary. Currently the invocation looks extremely ugly:

    age -r $(go run filippo.io/torchwood/cmd/age-keylookup@main joe@example.com)

akerl_4mo ago

I assume once it's stabilized you'd swap the `go run` for just installing and using a binary, similar to what you're already doing with age.

FiloSottile4mo ago

Honestly not sure why I didn't do that once the tool had stabilized.

Switched to

    go install filippo.io/torchwood/cmd/age-keylookup@main
    age -r $(age-keylookup alice@example.com)

age is designed to be composable and very stable, and this shell combination works well enough, so it's unlikely we'll build it straight into age(1).

Imustaskforhelp4mo ago

Offtopic but I really appreciate golang and so I am always on the lookout of modern alternatives and I found age and I found it to be brilliant for what its worth

I can be wrong about what exactly they talked about since it was long time ago so pardon me if thats the case, but are there any "issues" that you know about in age?

Also your work on age has been phenomenal so thank you for creating a tool like age!

1 more reply

notyourancilla4mo ago

> The author pronounces it [aɡe̞] with a hard g, like GIF, and is always spelled lowercase.

Of all the words we could've used to explain how to pronounce something

dctoedt4mo ago

> [GIF has a hard G]

Glad I preserved a tweet that commented on a subheadline at The Verge from when the creator of the GIF died:

Subheadline from The Verge: "It's pronounced 'jif'"

Tweet: "I guess he's with jod now"

https://toedtclassnotes.site44.com/#orgdf3fc45

FiloSottile4mo ago

>:)

tptacek4mo ago

It's pronounced "aggie".

miki1232114mo ago

As a monitor, how do you differentiate between the operator removing a poisoned key versus them adding a malicious key and then trying to hide that fact?

FiloSottile4mo ago

You don’t, but remember you monitor your own keys: if you know you didn’t upload a poisoned key and the log refuses to serve a key preimage for your email, you’ve caught it misbehaving.

sublimefire4mo ago

FiloSottile4mo ago

No, the point of the Merkle tree inclusion proofs and of the witness cosignatures is precisely that the operator can't show a different view of the log to different parties.

noidentOP4mo ago

Filippo Valsorda discusses his server for storing age keys

xeonmc4mo ago

At first glance I misread this as "stone age keys" and thought it was a dig at gpg

upofadown4mo ago

* https://spider.pgpkeys.eu/

FiloSottile4mo ago

upofadown4mo ago

A single SKS server can not serve a fake key, only a valid key that existed in the past. This might be done to maliciously unrevoke a key. The normal PGP key integrity prevents straight up forgeries.

j / k navigate · click thread line to collapse