I required the PGP key of a colleague the other day. Now, don’t get me wrong, I was one of the original cipherpunks – encrypting anything and everything in the mid 90s and following Zimmerman’s maxim that more people utilizing encryption for unimportant emails will protect those who do truly require it by increasing ‘noise’. Since then I have maintained a functional PGP implementation on every machine I use. My code signing key and my primary real life identity key are kept on an airgapped Sun SPARCStation and I use subkeys or secondary low security keys for e-mail and other day to day tasks.
That said, a large number of my contacts do not use encryption (not even S/MIME) and I guess statistically only about 20% of my email is actually encrypted. I try and sign anything important – even if the receiving user doesn’t necessarily know what to do with it.
Since the Snowden disclosures I have generated new public keys (4096 bit) for both my real life identity and my pseudonyms. I firmly believe that 1024 bit RSA keys are well and truly broken for a variety of reasons, especially to a well funded adversary like a government intelligence agency. Since losing a key in the early days (my computer and backups were destroyed) I have always been more careful, signing my new key with my old one and then revoking the old key where possible. Some of my old keys just can’t be revoked as they have been used to sign code and are required for updates to be trusted. No doubt there are others in similar predicaments. Anyway, back to my story.
I had the need today to send an encrypted email to a colleague of mine who is particularly well known in the IT scene. I retrieved his key from the key server and contacted him via telephone to confirm the fingerprint.
Most of the people who had signed this individual’s key were known to me (and probably you) with the exception of one. A Mr. Michael Vario.
I proceeded to check keys for other well known figures in our industry. Bruce Schneier’s old key (he has since replaced his key but it is not on the MIT key server) is also signed by this individual. Hell, even Edward Snowden and Richard Stallman’s keys have been signed.
This was most unusual, so I fired up my favorite search engine and tried to determine who this attention seeker actually is. One result returned was an archived thread at Cryptome.
It is a disgrace to undermine the web of trust by signing other individual’s keys en masse when you can’t even vouch for their identity. This is arguably worse than simply spam. It is an attack on the very trust model of PGP.
No doubt there are more individuals out there who are going to start doing just this. I imagine that if you retrieved a key dump and then just started to sign and re-upload key after key with a script you could cause considerable issues for the servers. Even if it handles the traffic, you’re severely affecting the usability of the servers where everyone seems to be signed by one guy.
Mr. Vario – if you are reading this – please explain to myself and the readers of this blog what possessed you to do something so ludicrous.
Mike the Crypto Goat 
A. Do you have any guess as to why Cramer-Shoup isn’t a lot more widely used, and in particular why isn’t it implemented in preference of ElGamal?
B. http://blog.client9.com/2013/07/04/fun-with-pgp-part-2.html grep vario
There doesn’t appear to be a good reason. I guess RSA based asymmetric crypto was just “the fashion”. Theoretically calculating discrete logarithms should be more difficult than factoring to break prime based RSA so I know of no good reason why RSA is preferred.
Re Mr Vario – no doubt you’ll be processing keydumps to feed into phuctor. Perhaps you can do a count as to how many promiscuous signers there are (and how many keys Mr Vario has uh, defaced) if this info is collected at import time.
Just been thinking about this. Perhaps it has something to do with efficiency? I know that CS produces more ciphertext than ElGamal.
Shouldn’t be too hard to do, but I think I may be missing something here. What difference does it make whether some unknown signs or doesn’t sign keys ? From what I understand of the workings of a WoT, the value of any vote is exactly the trust put on it. If nobody knows him, even should he sign the entire database this wouldn’t change the trust given any key by anyone. And if someone trusts him… well… they either are happy with his signature procedures in which case all is well, or else they aren’t, in which case they’ll have to modify their trust model. Nothing you or me or the key owners or anyone else should care about in any case. No ? (And speaking of which, I personally put 0 trust on the implicit PGP WoT, I rely instead on the Bitcoin dedicated thing, which works a lot better for a few reasons, chief among which good IRC interface).
You’re right – sane users will ignore and distrust any user they do not know. This could be an issue if someone widely trusted was compromised and used to introduce other keys as supposedly valid but it isn’t viable as everyone’s trust settings differ and there just isn’t enough payoff for it to work.
The worst thing that this idiot has done is clutter up an already failing infrastructure with more meaningless crap. I spoke on Schneier.com about this a few months back and proposed we replace the antiquated key servers with something more modern and offered to spearhead the campaign. I gave quite a detailed plan but very few people care enough about it, so I decided it wasn’t worth the investment as I would get little back from it (both financially and in terms of ‘cred’). It is still something that interests me greatly.
Mircea:
Sure.