Daniel M. Skube

The Boot-Strapping Problem of PGP

November 17, 2019417 words

Who verifies the verified?

PGP - by which I mean all variants, open- & closed-source - is powerful yet awkward software. By 'awkward', I don't mean using the command-line interface; CLI-literacy is attainable.

By 'awkward', I mean that obtaining the true public-key of a stranger requires an inordinate amount of trust & hassle. Since there's been some recent controversy, let's pretend Bob wants to download Tor Browser.

Bob isn't security-conscious, but he's trying. This month, he installed a password-manager, switched from Windows to Linux, and even learned a little about using gpg on the command-line.

Bob is concerned about the dismal state of internet privacy, so he downloads Tor. Ever a dutiful denizen of the 'net, Bob also downloads the accompanying .sig file. As he prepares to verify his downloads on the command-line, Bob realizes "Wait! I don't have the public-keys for the Tor Project".

Not one to wait, Bob searches DuckDuckGo for "public keys tor". The first result is from torproject.org, where Bob made his initial download. "Perfect,", Bob thinks, "Straight from the horse's mouth."

Bob thinks again. "If I trust the Tor website so much, why am I bothering to verify the file at all? I can't trust a public-key from the same website I got my files from."

Bob is right. He needs to find an independent source for the keys. Where to now?

Since Bob is already on torproject.org, he press the hyperlink on a key-id. A new tab loads that says pgp.mit.edu. "Oh, the MIT key-server. I can trust them." While waiting for the key-server to load, Bob falls into coma. When he reawakens six-months later, the page is still loading.

To celebrate escaping the coma, Bob vacations in Hawaii for a week. When he returns, the key-server has finally loaded. Error 400: Server Under-resourced; Page Cannot Be Loaded.

"Ironic," thinks Bob, "this key-server is as out-of-date & unaccountable as the academics who maintain it."

So, Bob seeks out the next option that comes to mind: the GNU key-server. Bob goes to keys.gnupg.net and notices the connection is unsecured HTTP.

Bob leaves his house & walks directly into the ocean.

Take care, Bob. You represent us all.

Hopefully, the dark days of HTTP key-servers are all but behind us now. Applications like keybase.io (find me @ dmskube) promise a more secure, less trusting model for what a key-server could be.

Let's hope that innovation in privacy UX keeps apace with innovation in privacy technology. And let's hope against the reverse!

React to this post
👍❤️🫶👏👌🤯🤔😂😍😭😢😡😮

You'll only receive email when they publish something new.

More from Daniel M. Skube
All posts