[6312] in cryptography@c2.net mail archive
Re: PGP on an e-commerce site
daemon@ATHENA.MIT.EDU (Dave Del Torto)
Mon Jan 3 21:34:33 2000
Mime-Version: 1.0
Message-Id: <p04300d0cb496c59a54fd@[192.168.248.7]>
In-Reply-To: <200001020346.WAA09530@world.std.com>
Date: Mon, 3 Jan 2000 16:21:49 -0800
To: Dan Geer <geer@world.std.com>
From: Dave Del Torto <ddt@lsd.com>
Cc: cryptography@c2.net, PGP Users <pgp-users@joshua.rivertown.net>
Content-Type: text/plain; charset="us-ascii"
At 10:46 pm -0500 2000-01-01, Dan Geer wrote:
>My daughter was ordering a CD this evening from the site cdnow.com
>and I noted that besides the SSL option they also had a PGP option.
>Take a look at
>
>http://www.cdnow.com/cgi-bin/mserver/SID=0/pagename=/RP/HELP/order.html#8q
>
>This is new to me.
This is indeed *very* interesting, and yes, a relatively new phenomenon, notwithstanding the old "Phil's Pretty Good Software" t-shirt purchase mechanism and a handful of other small-business examples of Yore.
One would hope it's also the tip of a huge "iceberg" of people taking their online e-commerce security into their own hands, since VeriSign now owns Thawte too, making for a potential trust monopoly of staggering proportions. Of course, it's also symbolic of a serious can-of-worms being opened: the ability of the PGP PKI to be able to create viable webs of validity for business use, ala X.509v3 Certificate Authorities. If major online vendors begin to offer this simple feature for die-hards like us, then perhaps the time has never been more ripe for someone to provide serious PGP business certification services (GTE CyberTrust, et alia, are you listening?).
In any case, I was as intrigued as Dan, so I did a little investigating into the trust metrics on the CDNOW key. I would never expect your average consumer, PGP-equipped or not, to delve this way, but let's just call this a basic cp trust analysis for now.
The canonical instance of the CDNOW key (keyid = 0xC894F687, userid = "CDnow! The Internet Music Store <manager@cdnow.com>") is supposedly on their own website <http://www.cdnow.com/cgi-bin/mserver/SID=336979276/pagename=/RP/HELP/pgp.html>. Assuming no-one is spoofing that particular page for all HTTP queries (certainly possible, but unlikely), one finds there a 1024-bit RSA key exported from PGP v2.7 (that's an old ViaCrypt version, a clue right there) with the key owner's self-signature. The self-signed key is a good sign and also a clue to the key's origin, since those old PGP 2.x-based versions did not automatically self-sign keys upon generation as version 5.x+ does: the owner had to be clueful enough to put it there. There's also a signature from a key belonging to David Barnhart, a former ViaCrypt employee and later a colleague of mine at PGP Inc. He's probably the clueful one responsible for the bare bones WoT on the CDNOW key.
Here the plot thickens: If the only two sigs on the key at CDNOW are the key-owner's sig and David's, then the ability of any CDNOW customer to trust the key's security is based on David's "trustability quotient" as well as the ability of CDNOW to prevent spoofing of its webpages. Giving CDNOW the benefit of the doubt in this case, this means that David has become the defacto PGP Certificate Authority for CDNOW, which implies more liability than he's probably willing to take on personally, so it may be that he's a CDNOW employee and therefore has some legal protections (one hopes it's in his contract).
Unfortunately, the old RSA key David used (0x67ECF13D) to sign the CDNOW key has no CDNOW userid on it to indicate his affiliation with the company, nor is his key found on the CDNOW website, which means that any CDNOW customer who wishes to trust the CDNOW key must know enough to go fetch David's key from elsewhere, check the validity on it individually and build his/her WoT manually as I've done. As I pointed out above, that's not bloody likely.
I found a better WoT-connected version of the CDNOW key on Highware's OpenKeyServer:
<http://www.keyserver.net:11371/pks/lookup?op=vindex&template=ensearch,ennomatch,enerror&search=0xC894F687>.
Interestingly, David's (old) key <http://www.keyserver.net:11371/pks/lookup?op=vindex&template=ensearch,ennomatch,enerror&search=0x67ECF13D> is a 512-bit RSA key (compromisable at this point by a sophisticated competitive online CD vendor in, say, Japan), and it has no signatures of any importance (in terms of validity calculations) on it other than one: Phil Zimmermann (using his key 0xC7A966DD). No offense to the other signers, but I don't even recognize any of their names.
Now, I seriously doubt that PRZ is going to take on any fiscal responsibility for a security failure during a product order at CDNOW, this at least produces a trust chain that gives me *some* warm'n'fuzzy metrics: I once had the brazen temerity, many moons ago at his house in Boulder CO, to require Phil to show me some photo identification before I'd sign his key <http://www.keyserver.net:11371/pks/lookup?op=vindex&template=ensearch,ennomatch,enerror&search=0xC7A966DD> with my old RSA key <http://www.keyserver.net:11371/pks/lookup?op=vindex&template=ensearch,ennomatch,enerror&search=0x4AAF00E5>. Phil was bemused by my enthusiasm at the time, but hey... even back then some of us knew the WoT had to start SOMEwhere! ;) However, your average CDNOW customer is not likely to have checked PRZ's key personally.
Moving on, CDNOW's key was created on 1994-11-25 which, unless I'm mistaken, was before CDNOW even existed(?). Further, the self-signature was not generated on the same day as the key-generation, but instead three months later on 1995-03-07. Perhaps this may even be an old key of David's which he has repurposed for business use at CDNOW: this is not a bad thing in itself, but it does raise more interesting issues that are beyond the scope of my little investigation here.
Well, it's obvious where this is going: to use CDNOW's PGP key with the same sort of validity assurance as their SSL certificate, some WoT work still needs to be done. However, this is still a positive sign, even if it's the work of one old-time PGP-hand (David B) who might be working for CDNOW.
For now, I'd recommend that CDNOW spend a little bit of time to do this right:
0. Provide a very basic PGP Certificate Policy Statement (CPS).
1. Generate a new Secure Transaction Key (the STK should have an
expiration date)
2. Generate a Corporate Signing Key
(a DH key with no enc subkeys, stored securely and shared to
3+ corp officers)
3. Sign the new STK with the CSK
4. Sign the new STK with the old RSA key (to carry any remaining
WoT forward)
5. Revoke the old RSA key and circulate the Key Revocation
Certificate widely
6. Get a bunch of people with strong WoT trust connections to sign
the STK
7. Get one of the companies that supposedly supports PGP
(VeriSign/Thawte?) to certify their CSK and STK
8. Put *all* relevant keys in a single PGP Public Key Block on
their website (on a PGP-signed page), next to their CPS.
dave
