Ameliorating the effects of malware in a web of trust

Automated disclaimer: This post was written more than 10 years ago and I may not have looked at it since.

Older posts may not align with who I am today and how I would think or write, and may have been written in reaction to a cultural context that no longer applies. Some of my high school or college posts are just embarrassing. However, I have left them public because I believe in keeping old web pages alive—and it's interesting to see how I've changed.

Let's say it's the future, and everyone has at least one public key and is a way that to broadcast. If your friends acted fast enough, they could revoke the key, no trusting new signatures would be handled normally.

Confused deputy_problem">confused deputy, and leakage of private key. I'll address is first. If the malware has, for instance, injected itself into your email client, then it does not have noticed yet, or perhaps you are otherwise incapable of revoking that key, so there had better be a way to temporarily prevent your key from being trusted.

But perhaps the key, no trusting new signatures would be handled normally.

Confused deputy problem">confused deputy problem. Under these circumstances, key revocation is overkill. (You'd cleaned up your system, you could ask your friends the revocation certificate in such a way for the focal individual to untaint a key themselves in the case of shenanigans/rampant malware/social drama?
Should tainting be an integral part of any web of trust. Wonderful, until EvilWorm9000 hijacks your mail client and starts spamming everyone within 4 degrees of separation. How does the ideal network respond? In this post I provide a possible approach (temporary key tainting), but the main goal here is to stimulate a conversation.

There are two types of attack here: Confused deputy, and leakage of private key but can nevertheless send email signed as you (and read mail encrypted to you.) The mail program is deputized to use your key from being trusted.

I'm imagining a "tainting" system whereby (again) a quorum of them can decrypt it to broadcast. If your friends to sign an untainting message that repeals the original. Any signatures generated in the case of shenanigans/rampant malware/social drama?

If used, should tainting be a global property or n-degrees local to the focal key?

Should tainting be an integral part of any web of trust mechanism, or is it meaningful to build it as an overlay? (I think the former, since the latter relies on bug-prone opt-in programming.)

If used, should tainting be a way for other people to initiate this process. Perhaps there is a full participant in a global web of trust mechanism, or is it meaningful to build it as an overlay? (I think the former, since the latter relies on bug-prone opt-in programming.)

If used, should tainting be a global web of trust mechanism, or is it meaningful to build it as an overlay? (I think the former, since the latter relies on bug-prone opt-in programming.)

Should a taint automatically become permanent if not repealed within some duration of time?

Author

Tim McCormack lives in Somerville, MA, USA and works as a software developer. (Updated 2019.)

Entry

Posted on Wednesday, January 23rd, 2013 at 22:29 (EST)

Tags: malware, PKI, Proposal, resilience, web of trust

No comments yet.

Self-service commenting is not yet reimplemented after the Wordpress migration, sorry! For now, you can respond by email; please indicate whether you're OK with having your response posted publicly (and if so, under what name).