FRESH

Hacker News

Building a Transparent Keyserver

78 points by noident

by agwa

1 subcomments

There are a couple things missing from this:
1. The monitoring client does not ensure that the checkpoint was created recently, so a malicious log can conceal malicious entries from monitors by serving an old checkpoint.
2. Though the age keyserver policy is not configured this way, the post suggests you could create a policy that requires only a minority of witnesses (e.g. 3 of 10) to cosign a checkpoint. If you do this, then monitors have to get checkpoints that are cosigned by at least 8 of the 10 witnesses. Otherwise, a malicious log could present one view to relying parties that is cosigned by one set of witnesses, and a different view to monitors that is cosigned by a different set of witnesses. There is currently no mechanism specified for monitors to get these extra cosignatures, so if you go with a minority policy you'll need to invent your own stuff in order for witnessing to actually accomplish anything.

by Thom2000

1 subcomments

I wonder if they think of a deeper integration of this into the age binary. Currently the invocation looks extremely ugly:
```
    age -r $(go run filippo.io/torchwood/cmd/age-keylookup@main joe@example.com)
```

by miki123211

1 subcomments

As a monitor, how do you differentiate between the operator removing a poisoned key versus them adding a malicious key and then trying to hide that fact?

by notyourancilla

4 subcomments

> The author pronounces it [aɡe̞] with a hard g, like GIF, and is always spelled lowercase.
Of all the words we could've used to explain how to pronounce something

by sublimefire

1 subcomments

Dunno, IMO you need to know the bits of what operator is running to fully trust the third party, eg run in an enclave and share attestation evidence and the source code. Otherwise, operator can just mimic the appearance of the log.

by noident

1 subcomments

by upofadown

1 subcomments

The good old SKS network achieves most or all of the advantages of key transparency in a simpler way by being append-only. An attacker could downgrade your PGP identity on one server but the rest would have the newest version you uploaded to the network.
There was a theory floating around back in 2018 that the append-only nature of the SKS network makes it effectively illegal due to the GDPR "right to erasure" but nothing came of that and the SKS network is still alive:
* https://spider.pgpkeys.eu/