Validity and Opportunistic encryption

This page is intended as a discussion base for validity display and opportunistic mail encryption when using the trust-model tofu+pgp.

TODO:

Things to discussion and Feedback not integrated in this draft

• There should probably be fifth level for direct trust that can't be reached through the web of trust.
• There should be a minimal time before a key reaches level 2 through Tofu
  • Rationale: An attack is more expensive if it has to be kept up over a longer time and this provides the opportunity for intervention if the attack is detected by another person.
• tofu conflict handling needs more thoughts. We need to think through how this can be caused / how possible attacks may look like and how we want to guard against them. We should try very hard to avoid asking the user to check fingerprints and try to resolve conflicts automatically.
• Encryptcount may be additional info especially when counted over a time period. The rationale for not using it must be better explained.
• The yellow checker does not work as a symbol.
• Signed mails on Level 1 should maybe be shown more positive as an indication that the sender has demonstrated his willingness to use crypto mails.

Trust Levels

• Level 0 (Validity Unknown): With trust-model tofu+pgp this is only for Keys that were never used before to verify a signature.

• Level 1 (Validity Marginal && (Signcount < 10)): We have some confidence that the recipient actually can use the key as we have seen at least one signature or we have a weak trust path over the WOT. It's OK to use that Key for Opportunistic encryption but when receiving a signed message we should only show in details that a message was signed.

• Level 2 (Validity Marginal && (Signcount >= 10 || Key retrieved through slightly authenticated source (e.g. WKD)): We have some basic confidence that the Sender is who he claims because we either have an established communication history or the source of the key (e.g. the mail provider) provided the key for this sender. This is the highest level you can achieve without user interaction.

• Level 3 (Validity Full): This is reached either through Web of Trust or if a user explicitly set the tofu Policy to "Good" for this key. High confidence.

Rationale

Originally the idea was to just have three states "Verified Sender", "Unverified Sender" and "Key is good enough for opportunistic Encryption".

After discussions about that this was too simplistic because we have to distinguish still between "I have manually checked this key" and just automatic Trust based on history.

Without a manual check we can never fully claim that the senders identity was verified. So with need an additional level for manually checked keys.

Why is Encrypt count not used ?

Encryption does not imply communication. You can easily encrypt 10 files or mails to a key and have no idea if the recipient can actually decrypt them. In contrast the signcount shows that the sender has signed with this key and you have verified so a communication has happened involving this key.

Signature Status

There should only be one prominent information when reading a signed mail:

• Is there additional information that the sender is really is the indented communication partner. (Level 2 + Level 3)

This could be displayed as a checker or a seal ribbon or something. It should be prominent and next to the signed content. There should be a distinction between Levels two and three but it may be slight.

Don't treat signed mails worse then an unsigned mail

A MUA should not treat any signed mail worse then an unsigned mail. If a sender is not verified it should be displayed similar to an unsigned mail because in both cases you have no information that the Sender is actually your intended Communication partner. You may want to show a tofu Conflict more prominent as user interaction is required at this point.

Especially: ignore GPGME's Red suggestion An attacker would have removed the signature instead of invalidating it. It should be treated like an unsigned mail and only additional info in details should be shown for diagnostic purposes. Similarly when Red is set because a key is expired or so. It's not more negative then a unsigned mail.

Put it in Details

The information that a Mail was signed should of course be available even if the signature could not be used to verify the sender. And the user should get tips how to verify the sender (e.g. exchange fingerprints out of Band) but this should be "Details". Although easily accessible this should not be needed to establish cryptographically secured communication.

Conflict handling

A tofu conflict means that you have seen two keys for a userid and that the keys are not cross-signed and both are valid. Still in most cases this will be a false positive because someone has multiple keys and made the usage error not to cross-sign them. A dialog should be offered that asks the user to check with the sender and then:

• Use the new key from now on. (Policy auto on the new Key, Policy bad on the old key)
• Reject the new key (Policy bad on the new key, Policy auto on the old key)
• Accept both keys, if the user claims to have verified that both keys are good (Policy Good on both keys)

Accepting both keys will change the validity from Marginal to Full. This is intentional because the question / option should be phrased in a way that a user did a manual check in that case.

Opportunistic Encryption (Mail only)

A MUA should offer automated opportunistic encryption. To determine if a mail can be sent encrypted one of the following rules must match for each recipient:

• There is a Fully / Ultimately valid key for the recipient.
• This is a marginally valid key for the recipient and the first UserID that matches the recipients mailbox has a signcount of at least one. Or the recipients key was obtained through a slightly authenticated source (e.g. WKD).

Marginal Substates

For Marginal trusted keys there should be a visible hint that the recipient's key might not be the intended recipient. E.g. a Lock symbol with different overlays for warning, yellow checker, green checker.

These substates should indicate:

• Very little confidence (marginal + signcount < 10)
• Basic confidence (marignal + signcount >= 10)

They may indicate:

• Good confidence (marginal + signcount >= 100)

Auto Key Retrieve

If you receive a message from an Unknown Key a MUA should automatically retrieve it from a public keyserver or a Web Key directory. This Key can then be used for opportunistic encryption because you have seen a signature it is very likely that the recipient can decrypt. (auto-key-retrieve in gnupg)

Screenshots from GpgOL

No key was found. Level 0.

The first signed message form someone else. Level 1.

The second message. Level 1.

Basic trust! Level 2.

Full trust! Level 3.

Invalid sig. Level 0.

Tofu conflict. User attention required.