Are TOFU statistics used for validity or conflict resolution?

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Are TOFU statistics used for validity or conflict resolution?

Teemu Likonen
Are TOFU statistics used for key's validity calculations or TOFU
conflict resolution?

Some background: The TOFU system keeps statistics about key's use. I'll
quote some lines from the DETAILS document.

About --with-colons --witt-tofu-info --list-keys:


    *** TFS - TOFU statistics

        This field may follows a UID record to convey information about
        the TOFU database.  The information is similar to a TOFU_STATS
        status line.

        - Field 2 :: tfs record version (must be 1)
        - Field 3 :: validity -  A number with validity code.
        - Field 4 :: signcount - The number of signatures seen.
        - Field 5 :: encrcount - The number of encryptions done.
        - Field 6 :: policy - A string with the policy
        - Field 7 :: signture-first-seen - a timestamp or 0 if not known.
        - Field 8 :: signature-most-recent-seen - a timestamp or 0 if not known.
        - Field 9 :: encryption-first-done - a timestamp or 0 if not known.
        - Field 10 :: encryption-most-recent-done - a timestamp or 0 if not known.


About --status-fd output's TOFU_STATS:


    *** TOFU_STATS <MANY_ARGS>

        Statistics for the current user id.

        The <MANY_ARGS> are the usual space delimited arguments.  Here we
        have too many of them to fit on one printed line and thus they are
        given on 3 printed lines:

        : <summary> <sign-count> <encryption-count>
        : [<policy> [<tm1> <tm2> <tm3> <tm4>
        : [<validity> [<sign-days> <encrypt-days>]]]]

        Values for SUMMARY are:
        - 0 :: attention, an interaction with the user is required (conflict)
        - 1 :: key with no verification/encryption history
        - 2 :: key with little history
        - 3 :: key with enough history for basic trust
        - 4 :: key with a lot of history


It _seems_ to me that

    - Field 3 :: validity -  A number with validity code.

is the same thing as SUMMARY in TOFU_STATS. Am I right?

And here's my question again: Does the SUMMARY field's value (0-4) have
effect on how key's validity is calculated or how TOFU conflicts are
resolved or presented to a user?

--
/// Teemu Likonen   - .-..   <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are TOFU statistics used for validity or conflict resolution?

Teemu Likonen
Teemu Likonen [2017-06-22 09:42:50+03] wrote:

> Does the SUMMARY field's value (0-4) have effect on how key's validity
> is calculated or how TOFU conflicts are resolved or presented to a
> user?

I didn't get answers yet but I'll speculate a bit on the subject. This
is all about "trust-model tofu" and assume that I have _not_ set
"--tofu-policy" manually.

Let's say that I have a key which has been used to verify a couple of
signatures. Then there comes another key with conflicting email address.
It seems that tofu goes to "ask" mode for _both_ keys (user ids). User
needs to decide and set the tofu policy for both.

Then let's say I have a key which has been used to verify hundred or so
signatures. In --status-fd's TOFU_STATS <summary> it gets higher value,
say 4. Then the keyring gets a new key with conflicting email address.
Does gpg again set both keys (user ids) to tofu's "ask" mode or does
this higher number of good verifications automatically keep the first
key in "auto" mode and only the new key is set to "ask" mode?

--
/// Teemu Likonen   - .-..   <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are TOFU statistics used for validity or conflict resolution?

Neal H. Walfield
In reply to this post by Teemu Likonen
At Thu, 22 Jun 2017 09:42:50 +0300,
Teemu Likonen wrote:
> It _seems_ to me that
>
>     - Field 3 :: validity -  A number with validity code.
>
> is the same thing as SUMMARY in TOFU_STATS. Am I right?
>
> And here's my question again: Does the SUMMARY field's value (0-4) have
> effect on how key's validity is calculated or how TOFU conflicts are
> resolved or presented to a user?

TOFU influences validity.

By default, all known keys are marginally trusted in the TOFU model.
(This is more or less the "first use" bit of "trust on first use".)
In TOFU, the validity of a key is set to unknown if there is an
unresolved conflict.  The user can resolve a conflict either
positively (in which case the validity is full) or negatively (in
which case the validity is never).  Note: this means that it is
possible to make negative assertions when using TOFU, which is not
possible when using WoT.

The summary field in TOFU_STATS is a summary of the key's use.  The
basic idea is that in the absence of facts to the contrary, at the
limit (an infinite number of uses), a given key must have been the
right one (or is indistinguishable from the correct key, which is just
as good, because it means that nothing bad ever happened).  In other
words, a key that has been used for years is more likely to be the
correct one, then one that I've only used once.  In the former case,
I've had many more opportunities to detect a MitM attack.  The summary
field captures this using a simple scale that applications can then
somehow display to the user.  This is currently used by kmail and the
Outlook plug-in.

HTH,

:) Neal

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are TOFU statistics used for validity or conflict resolution?

Neal H. Walfield
In reply to this post by Teemu Likonen
At Thu, 22 Jun 2017 20:32:48 +0300,
Teemu Likonen wrote:

> Teemu Likonen [2017-06-22 09:42:50+03] wrote:
> > Does the SUMMARY field's value (0-4) have effect on how key's validity
> > is calculated or how TOFU conflicts are resolved or presented to a
> > user?
>
> I didn't get answers yet but I'll speculate a bit on the subject. This
> is all about "trust-model tofu" and assume that I have _not_ set
> "--tofu-policy" manually.
>
> Let's say that I have a key which has been used to verify a couple of
> signatures. Then there comes another key with conflicting email address.
> It seems that tofu goes to "ask" mode for _both_ keys (user ids). User
> needs to decide and set the tofu policy for both.

Correct.

> Then let's say I have a key which has been used to verify hundred or so
> signatures. In --status-fd's TOFU_STATS <summary> it gets higher value,
> say 4. Then the keyring gets a new key with conflicting email address.
> Does gpg again set both keys (user ids) to tofu's "ask" mode or does
> this higher number of good verifications automatically keep the first
> key in "auto" mode and only the new key is set to "ask" mode?

No, both keys are set to ask.  The key with a lot of observed
signatures could be bad.  This could occur, if there is a MitM, but
the MitM has a small lapse, because, perhaps, you've used an
unintercepted network path to retreive the "new" signature & key.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are TOFU statistics used for validity or conflict resolution?

Teemu Likonen
Neal H. Walfield [2017-06-23 11:14:31+02] wrote:

> At Thu, 22 Jun 2017 20:32:48 +0300, Teemu Likonen wrote:
>> Then let's say I have a key which has been used to verify hundred or
>> so signatures. In --status-fd's TOFU_STATS <summary> it gets higher
>> value, say 4. Then the keyring gets a new key with conflicting email
>> address. Does gpg again set both keys (user ids) to tofu's "ask" mode
>> or does this higher number of good verifications automatically keep
>> the first key in "auto" mode and only the new key is set to "ask"
>> mode?
>
> No, both keys are set to ask. The key with a lot of observed
> signatures could be bad. This could occur, if there is a MitM, but the
> MitM has a small lapse, because, perhaps, you've used an unintercepted
> network path to retreive the "new" signature & key.
Thanks. So here's how my thinking has been as a tofu newbie.

 1. I assumed that the first key with particular email address would be
    automatically valid forever. Only new keys would go to "ask" mode on
    conflicts. That was my interpretation of "trust of first use". Well,
    I was wrong.

 2. New hypothesis: There needs to be enough history on verifying or
    encryption before the key is assumed automatically valid on
    conflicts. Then only new keys would go to "ask" mode on conflicts. I
    was wrong again.

I don't know whether my thinking is common but perhaps it would be
helpful if gpg's man page made clear that on conflict situation both
keys go to "ask" mode. A quote from my gpg 2.1.18 manual:


       --trust-model pgp|classic|tofu|tofu+pgp|direct|always|auto

              [...]

              tofu

                     TOFU stands for Trust On First Use. In this trust
                     model, the first time a key is seen, it is
                     memorized. If later another key is seen with a user
                     id with the same email address, a warning is
                     displayed indicating that there is a conflict and
                     that the key might be a forgery and an attempt at a
                     man-in-the-middle attack.


From that part I got the idea of getting warning only from new
conflicting keys. The first one would be trusted. The man page doesn't
say so but it was my interpretation.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are TOFU statistics used for validity or conflict resolution?

Peter Lebbing
In reply to this post by Neal H. Walfield
On 23/06/17 11:14, Neal H. Walfield wrote:
> No, both keys are set to ask.  The key with a lot of observed
> signatures could be bad.  This could occur, if there is a MitM, but
> the MitM has a small lapse, because, perhaps, you've used an
> unintercepted network path to retreive the "new" signature & key.

So if I understand correctly, the "summary"/"validity" field merely
affects the text that is displayed to the user when displaying TOFU
statistics?

Cheers,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are TOFU statistics used for validity or conflict resolution?

Neal H. Walfield
At Fri, 23 Jun 2017 12:52:48 +0200,
Peter Lebbing wrote:

>
> [1  <text/plain; utf-8 (quoted-printable)>]
> On 23/06/17 11:14, Neal H. Walfield wrote:
> > No, both keys are set to ask.  The key with a lot of observed
> > signatures could be bad.  This could occur, if there is a MitM, but
> > the MitM has a small lapse, because, perhaps, you've used an
> > unintercepted network path to retreive the "new" signature & key.
>
> So if I understand correctly, the "summary"/"validity" field merely
> affects the text that is displayed to the user when displaying TOFU
> statistics?

It's up to the GPG client to interpret it.  This document (authored by
Andre and me) has some recommendations for MUAs:

  https://wiki.gnupg.org/EasyGpg2016/AutomatedEncryption

:) Neal

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are TOFU statistics used for validity or conflict resolution?

Peter Lebbing
On 23/06/17 12:56, Neal H. Walfield wrote:
> It's up to the GPG client to interpret it.  This document (authored by
> Andre and me) has some recommendations for MUAs:

Ah! Thanks for the information.

I was thinking about how GnuPG handled it, i.e., on the gpg command line
or as a backend for some frontend. I got the impression the "validity"
field affected the text of the gpg command line but nothing else
(g10/tofu.c:show_statistics() returns "show_warning" asserted for
valdities below 3).

Cheers,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are TOFU statistics used for validity or conflict resolution?

Neal H. Walfield
At Fri, 23 Jun 2017 13:22:23 +0200,
Peter Lebbing wrote:

> On 23/06/17 12:56, Neal H. Walfield wrote:
> > It's up to the GPG client to interpret it.  This document (authored by
> > Andre and me) has some recommendations for MUAs:
>
> Ah! Thanks for the information.
>
> I was thinking about how GnuPG handled it, i.e., on the gpg command line
> or as a backend for some frontend. I got the impression the "validity"
> field affected the text of the gpg command line but nothing else
> (g10/tofu.c:show_statistics() returns "show_warning" asserted for
> valdities below 3).

You're right: gpg also uses this information to display some
information.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are TOFU statistics used for validity or conflict resolution?

Neal H. Walfield
In reply to this post by Teemu Likonen
At Fri, 23 Jun 2017 13:45:39 +0300,
Teemu Likonen wrote:
> I don't know whether my thinking is common but perhaps it would be
> helpful if gpg's man page made clear that on conflict situation both
> keys go to "ask" mode. A quote from my gpg 2.1.18 manual:

I tried to improve the documentation in 243b2a570.  Thanks for the
suggestion.

:) Neal

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Loading...