1. The monitoring client does not ensure that the checkpoint was created recently, so a malicious log can conceal malicious entries from monitors by serving an old checkpoint.
2. Though the age keyserver policy is not configured this way, the post suggests you could create a policy that requires only a minority of witnesses (e.g. 3 of 10) to cosign a checkpoint. If you do this, then monitors have to get checkpoints that are cosigned by at least 8 of the 10 witnesses. Otherwise, a malicious log could present one view to relying parties that is cosigned by one set of witnesses, and a different view to monitors that is cosigned by a different set of witnesses. There is currently no mechanism specified for monitors to get these extra cosignatures, so if you go with a minority policy you'll need to invent your own stuff in order for witnessing to actually accomplish anything.
As a monitor, how do you differentiate between the operator removing a poisoned key versus them adding a malicious key and then trying to hide that fact?
You don’t, but remember you monitor your own keys: if you know you didn’t upload a poisoned key and the log refuses to serve a key preimage for your email, you’ve caught it misbehaving.
Dunno, IMO you need to know the bits of what operator is running to fully trust the third party, eg run in an enclave and share attestation evidence and the source code. Otherwise, operator can just mimic the appearance of the log.
No, the point of the Merkle tree inclusion proofs and of the witness cosignatures is precisely that the operator can't show a different view of the log to different parties.
The good old SKS network achieves most or all of the advantages of key transparency in a simpler way by being append-only. An attacker could downgrade your PGP identity on one server but the rest would have the newest version you uploaded to the network.
There was a theory floating around back in 2018 that the append-only nature of the SKS network makes it effectively illegal due to the GDPR "right to erasure" but nothing came of that and the SKS network is still alive:
The SKS network is append-only in aspiration. There is nothing like a Merkle tree stopping a server in the pool (or a MitM) from serving a fake key to a client. The whole point of tlogs is holding systems like that accountable. Also, the section on VRFs of the article addresses precisely the user removal issue.
agwa|2 months ago
1. The monitoring client does not ensure that the checkpoint was created recently, so a malicious log can conceal malicious entries from monitors by serving an old checkpoint.
2. Though the age keyserver policy is not configured this way, the post suggests you could create a policy that requires only a minority of witnesses (e.g. 3 of 10) to cosign a checkpoint. If you do this, then monitors have to get checkpoints that are cosigned by at least 8 of the 10 witnesses. Otherwise, a malicious log could present one view to relying parties that is cosigned by one set of witnesses, and a different view to monitors that is cosigned by a different set of witnesses. There is currently no mechanism specified for monitors to get these extra cosignatures, so if you go with a minority policy you'll need to invent your own stuff in order for witnessing to actually accomplish anything.
FiloSottile|2 months ago
I'll add a note to the part of the article that mentions non-majority policies.
Thom2000|2 months ago
akerl_|2 months ago
notyourancilla|2 months ago
Of all the words we could've used to explain how to pronounce something
dctoedt|2 months ago
Glad I preserved a tweet that commented on a subheadline at The Verge from when the creator of the GIF died:
Subheadline from The Verge: "It's pronounced 'jif'"
Tweet: "I guess he's with jod now"
https://toedtclassnotes.site44.com/#orgdf3fc45
FiloSottile|2 months ago
tptacek|2 months ago
unknown|2 months ago
[deleted]
miki123211|2 months ago
FiloSottile|2 months ago
sublimefire|2 months ago
FiloSottile|2 months ago
noident|2 months ago
xeonmc|2 months ago
upofadown|2 months ago
There was a theory floating around back in 2018 that the append-only nature of the SKS network makes it effectively illegal due to the GDPR "right to erasure" but nothing came of that and the SKS network is still alive:
* https://spider.pgpkeys.eu/
FiloSottile|2 months ago