I required the PGP key of a colleague the other day. Now, don’t get me wrong, I was one of the original cipherpunks – encrypting anything and everything in the mid 90s and following Zimmerman’s maxim that more people utilizing encryption for unimportant emails will protect those who do truly require it by increasing ‘noise’. Since then I have maintained a functional PGP implementation on every machine I use. My code signing key and my primary real life identity key are kept on an airgapped Sun SPARCStation and I use subkeys or secondary low security keys for e-mail and other day to day tasks.
That said, a large number of my contacts do not use encryption (not even S/MIME) and I guess statistically only about 20% of my email is actually encrypted. I try and sign anything important – even if the receiving user doesn’t necessarily know what to do with it.
Since the Snowden disclosures I have generated new public keys (4096 bit) for both my real life identity and my pseudonyms. I firmly believe that 1024 bit RSA keys are well and truly broken for a variety of reasons, especially to a well funded adversary like a government intelligence agency. Since losing a key in the early days (my computer and backups were destroyed) I have always been more careful, signing my new key with my old one and then revoking the old key where possible. Some of my old keys just can’t be revoked as they have been used to sign code and are required for updates to be trusted. No doubt there are others in similar predicaments. Anyway, back to my story.
I had the need today to send an encrypted email to a colleague of mine who is particularly well known in the IT scene. I retrieved his key from the key server and contacted him via telephone to confirm the fingerprint.
Most of the people who had signed this individual’s key were known to me (and probably you) with the exception of one. A Mr. Michael Vario.
I proceeded to check keys for other well known figures in our industry. Bruce Schneier’s old key (he has since replaced his key but it is not on the MIT key server) is also signed by this individual. Hell, even Edward Snowden and Richard Stallman’s keys have been signed.
This was most unusual, so I fired up my favorite search engine and tried to determine who this attention seeker actually is. One result returned was an archived thread at Cryptome.
It is a disgrace to undermine the web of trust by signing other individual’s keys en masse when you can’t even vouch for their identity. This is arguably worse than simply spam. It is an attack on the very trust model of PGP.
No doubt there are more individuals out there who are going to start doing just this. I imagine that if you retrieved a key dump and then just started to sign and re-upload key after key with a script you could cause considerable issues for the servers. Even if it handles the traffic, you’re severely affecting the usability of the servers where everyone seems to be signed by one guy.
Mr. Vario – if you are reading this – please explain to myself and the readers of this blog what possessed you to do something so ludicrous.