I went to a party recently, and it reminded of quite how bad humans are at trust. It was a work “mixer”, and an attempt to get people who didn’t know each other well to chat and exchange some information. We were each given two cards to hang around our necks: one on which to write our own name, and the other on which we were supposed to collect the initials of those to whom we spoke (in their own hand). At the end of the event, the plan was to hand out rewards whose value was related to the number of initials collected. Pens/markers were provided.
I gamed the system by standing by the entrance, giving out the cards, controlling the markers and ensuring that everybody signed my card, hence ending up with easily the largest number of initials of anyone at the party. But that’s not the point. Somebody – a number of people, in fact – pointed out the similarities between this and “key signing parties”, and that got me thinking. For those of you not old enough – or not security-geeky enough – to have come across these, they were events which were popular in the late nineties and early parts of the first decade of the twenty-first century[1] where people would get together, typically at a tech show, and sign each other’s PGP keys. PGP keys are an interesting idea whereby you maintain a public-private key pair which you use to sign emails, assert your identity, etc., in the online world. In order for this to work, however, you need to establish that you are who you say you are, and in order for this to work, you need to convince someone of this fact.
There are two easy ways to do this:
- meet someone IRL[2], get them to validate your public key, and sign it with theirs;
- have someone who knows the person you met in step 1 agree that they can probably trust you, as the person in step 1 did, and they trust them.
This is a form of trust based on reputation, and it turns out that it is a terrible model for trust. Let’s talk about some of the reasons for it not working. There are four main ones:
- context
- decay
- transitive trust
- peer pressure.
Let’s evaluate these briefly.
Context
I can’t emphasise this enough: trust is always, always contextual (see “What is trust?” for a quick primer). When people signed other people’s key-pairs, all they should really have been saying was “I believe that the identity of this person is as stated”, but signatures and encryption based on these keys was (and is) frequently misused to make statements about, or claim access to, capabilities that were not necessarily related to identity.
I lay some of the fault of this at the US alcohol consumption policy. Many (US) Americans use their driving licence/license as a form of authorisation: I am over this age, and am therefore entitled to purchase alcohol. It was designed to prove that their were authorised to drive, and nothing more than that, but you can now get a US driving licence to prove your age even if you can’t drive, and it can be used, for instance, as security identification for getting on aircraft at airportsThis is crazy, but partly explains why there is such a confusion between identification, authentication and authorisation.
Decay
Trust, as I’ve noted before in many articles, decays. Just because I trust you now (within a particular context) doesn’t mean that I should trust you in the future (in that or any other context). Mechanisms exist within the PGP framework to expire keys, but it was (I believe) typical for someone to resign a new set of keys just because they’d signed the previous set. If they were only being used for identity, then that’s probably OK – most people rarely change their identity, after all – but, as explained above, these key pairs were often used more widely.
Transitive trust
This is the whole “trusting someone because I trust you” problem. Again, if this were only about identity, then I’d be less worried, but given people’s lack of ability to specify context, and their equal inability to communicate that to others, the “fuzziness” of the trust relationships being expressed was only going to increase with the level of transitiveness, reducing the efficacy of the system as a whole.
Peer pressure
Honestly, this occurred to me due to my gaming of the system, as described in the second paragraph at the top of this article. I remember meeting people at events and agreeing to endorse their key-pairs basically because everybody else was doing it. I didn’t really know them, though (I hope) I had at least heard of them (“oh, you’re Denny’s friend, I think he mentioned you”), and I certainly shouldn’t have been signing their key-pairs. I am certain that I was not the only person to fall into this trap, and it’s a trap because humans are generally social animals[3], and they like to please others. There was ample opportunity for people to game the system much more cynically than I did at the party, and I’d be surprised if this didn’t happen from time to time.
Stepping back a bit
To be fair, it is possible to run a model like this properly. It’s possible to avoid all of these by insisting on proper contextual trust (with multiple keys for different contexts), by re-evaluating trust relationships on a regular basis, by being very careful about trusting people just due to their trusting someone else (or refusing to do so at all), and by refusing just to agree to trust someone because you’ve met them and they “seem nice”. But I’m not aware of anyone – anyone – who kept to these rules, and it’s why I gave up on this trust model over a decade ago. I suspect that I’m going to get some angry comments from people who assert that they used (and use) the system properly, and I’m sure that there are people out there who did and do: but as a widespread system, it was only going to work if the large majority of all users treated it correctly, and given human nature and failings, that never really happened.
I’m also not suggesting that we have many better models – but we really, really need to start looking for some, as this is important, and difficult stuff.
1 – I refuse to refer to these years the “aughts”.
2 – In Real Life – this used to be an actual distinction to online.
3 – even a large enough percentage of IT folks to make this a problem.
Alice, Eve and Bob - a security blog 
Thanks for writing this Mike (and putting an extra nail in the Web of Trust’s coffin). The WoT model comes from a more naïve time, and needs to go.
Here’s another reason to dislike it: it provides a free social graph for your adversaries.
Who has (most likely physically) met whom, when, if they are still possibly in contact (by observing key signatures and refreshes).
Some attempts were made to limit this problems, such as Parcimonie (https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/) which refreshes your keyring of public keys one at a time, at random intervals, over Tor. But that really is only trying to patch an otherwise very problematic system.
One of the maintainers (and original authors, if I recall correctly) of a major PGP keyserver has recently written that the whole thing needs to be scrapped and is not worth rebuilding.
With all this in mind, I am curious however of your and others’ opinion of Keybase.
One more thing, talking of better models. The only proper way of having ad-hoc, contextual trust keys/encryption is to have the key creation, synchronisation and verification all done automatically. Clearly, asking of users to manage keys themselves is just not going to work. We’ve had public key cryptography for something like 40 years and the vast majority of people have no idea what a public key is (and I don’t blame them). The only thing that looks like it might solve this hard problem that I can see right now are the attempts at building Self-Sovereign Identity networks, with the concept of pairwise DIDs (Decentralised IDs): create a unique pair of keys for every two-way relationship and keep it private to the two concerned parties.
LikeLike