At 10:46 pm -0500 2000-01-01, Dan Geer wrote:
>My daughter was ordering a CD this evening from the site cdnow.com
>and I noted that besides the SSL option they also had a PGP option.
>Take a look at
>
>http://www.cdnow.com/cgi-bin/mserver/SID=0/pagename=/RP/HELP/order.html#8q
>
>This is new to me.
This is indeed *very* interesting, and yes, a relatively new phenomenon,
notwithstanding the old "Phil's Pretty Good Software" t-shirt purchase mechanism and a
handful of other small-business examples of Yore.
One would hope it's also the tip of a huge "iceberg" of people taking their online
e-commerce security into their own hands, since VeriSign now owns Thawte too, making
for a potential trust monopoly of staggering proportions. Of course, it's also
symbolic of a serious can-of-worms being opened: the ability of the PGP PKI to be able
to create viable webs of validity for business use, ala X.509v3 Certificate
Authorities. If major online vendors begin to offer this simple feature for die-hards
like us, then perhaps the time has never been more ripe for someone to provide serious
PGP business certification services (GTE CyberTrust, et alia, are you listening?).
In any case, I was as intrigued as Dan, so I did a little investigating into the trust
metrics on the CDNOW key. I would never expect your average consumer, PGP-equipped or
not, to delve this way, but let's just call this a basic cp trust analysis for now.
The canonical instance of the CDNOW key (keyid = 0xC894F687, userid = "CDnow! The
Internet Music Store <[EMAIL PROTECTED]>") is supposedly on their own website
<http://www.cdnow.com/cgi-bin/mserver/SID=336979276/pagename=/RP/HELP/pgp.html>.
Assuming no-one is spoofing that particular page for all HTTP queries (certainly
possible, but unlikely), one finds there a 1024-bit RSA key exported from PGP v2.7
(that's an old ViaCrypt version, a clue right there) with the key owner's
self-signature. The self-signed key is a good sign and also a clue to the key's
origin, since those old PGP 2.x-based versions did not automatically self-sign keys
upon generation as version 5.x+ does: the owner had to be clueful enough to put it
there. There's also a signature from a key belonging to David Barnhart, a former
ViaCrypt employee and later a colleague of mine at PGP Inc. He's probably the clueful
one responsible for the bare bones WoT on the CDNOW key.
Here the plot thickens: If the only two sigs on the key at CDNOW are the key-owner's
sig and David's, then the ability of any CDNOW customer to trust the key's security is
based on David's "trustability quotient" as well as the ability of CDNOW to prevent
spoofing of its webpages. Giving CDNOW the benefit of the doubt in this case, this
means that David has become the defacto PGP Certificate Authority for CDNOW, which
implies more liability than he's probably willing to take on personally, so it may be
that he's a CDNOW employee and therefore has some legal protections (one hopes it's in
his contract).
Unfortunately, the old RSA key David used (0x67ECF13D) to sign the CDNOW key has no
CDNOW userid on it to indicate his affiliation with the company, nor is his key found
on the CDNOW website, which means that any CDNOW customer who wishes to trust the
CDNOW key must know enough to go fetch David's key from elsewhere, check the validity
on it individually and build his/her WoT manually as I've done. As I pointed out
above, that's not bloody likely.
I found a better WoT-connected version of the CDNOW key on Highware's OpenKeyServer:
<http://www.keyserver.net:11371/pks/lookup?op=vindex&template=ensearch,ennomatch,enerror&search=0xC894F687>.
Interestingly, David's (old) key
<http://www.keyserver.net:11371/pks/lookup?op=vindex&template=ensearch,ennomatch,enerror&search=0x67ECF13D>
is a 512-bit RSA key (compromisable at this point by a sophisticated competitive
online CD vendor in, say, Japan), and it has no signatures of any importance (in terms
of validity calculations) on it other than one: Phil Zimmermann (using his key
0xC7A966DD). No offense to the other signers, but I don't even recognize any of their
names.
Now, I seriously doubt that PRZ is going to take on any fiscal responsibility for a
security failure during a product order at CDNOW, this at least produces a trust chain
that gives me *some* warm'n'fuzzy metrics: I once had the brazen temerity, many moons
ago at his house in Boulder CO, to require Phil to show me some photo identification
before I'd sign his key
<http://www.keyserver.net:11371/pks/lookup?op=vindex&template=ensearch,ennomatch,enerror&search=0xC7A966DD>
with my old RSA key
<http://www.keyserver.net:11371/pks/lookup?op=vindex&template=ensearch,ennomatch,enerror&search=0x4AAF00E5>.
Phil was bemused by my enthusiasm at the time, but hey... even back then some of us
knew the WoT had to start SOMEwhere! ;) However, your average CDNOW customer is not
likely to have checked PRZ's key personally.
Moving on, CDNOW's key was created on 1994-11-25 which, unless I'm mistaken, was
before CDNOW even existed(?). Further, the self-signature was not generated on the
same day as the key-generation, but instead three months later on 1995-03-07. Perhaps
this may even be an old key of David's which he has repurposed for business use at
CDNOW: this is not a bad thing in itself, but it does raise more interesting issues
that are beyond the scope of my little investigation here.
Well, it's obvious where this is going: to use CDNOW's PGP key with the same sort of
validity assurance as their SSL certificate, some WoT work still needs to be done.
However, this is still a positive sign, even if it's the work of one old-time PGP-hand
(David B) who might be working for CDNOW.
For now, I'd recommend that CDNOW spend a little bit of time to do this right:
0. Provide a very basic PGP Certificate Policy Statement (CPS).
1. Generate a new Secure Transaction Key (the STK should have an
expiration date)
2. Generate a Corporate Signing Key
(a DH key with no enc subkeys, stored securely and shared to
3+ corp officers)
3. Sign the new STK with the CSK
4. Sign the new STK with the old RSA key (to carry any remaining
WoT forward)
5. Revoke the old RSA key and circulate the Key Revocation
Certificate widely
6. Get a bunch of people with strong WoT trust connections to sign
the STK
7. Get one of the companies that supposedly supports PGP
(VeriSign/Thawte?) to certify their CSK and STK
8. Put *all* relevant keys in a single PGP Public Key Block on
their website (on a PGP-signed page), next to their CPS.
dave
