The append-only aspect of some OpenPGP keystores encourages a user of
the keystore to rely on that keystore as a faithful reporter of
history, and one that will not misrepresent or hide the history that
they know about. An unfaithful "append-only" keystore could abuse the
trust in a number of ways, including withholding revocation
certificates, offering different sets of certificates to different
clients doing certificate lookup, and so on.¶
However, the most widely used append-only OpenPGP keystore, the
[SKS] keyserver pool, offers no cryptographically verifiable
guarantees that it will actually remain append-only. Users of the
pool have traditionally relied on its distributed nature, and the
presumption that coordination across a wide range of administrators
would make it difficult for the pool to reliably lie or omit
data. However, the endpoint most commonly used by clients to access
the network is hkps://hkps.pool.sks-keyservers.net
, the default for
[GnuPG]. That endpoint is increasingly consolidated, and currently
consists of hosts operated by only two distinct administrators,
increasing the risk of potential misuse.¶
Offering cryptographic assurances that a keystore could remain
append-only is an appealing prospect to defend against these kinds of
attack. Many popular schemes for providing such assurances are known
as "blockchain" technologies, or global append-only ledgers.¶
With X.509 certificates, we have a semi-functional Certificate
Transparency ([RFC6962], or "CT") ecosystem that is intended to
document and preserve evidence of (mis)issuance by well-known
certificate authorities (CAs), which implements a type of global
append-only ledger. While the CT infrastructure remains vulnerable to
certain combinations of colluding actors, it has helped to identify
and sanction some failing CAs.¶
Like other global append-only ledgers, CT itself is primarily a
detection mechanism, and has no enforcement regime. If a widely-used
CA were identified by certificate transparency to be untrustworthy,
the rest of the ecosystem still needs to figure out how to impose
sanctions or apply a remedy, which may or may not be possible.¶
CT also has privacy implications -- the certificates published in the
CT logs are visible to everyone, for the lifetime of the log.¶
For spam abatement, CT logs decline all X.509 certificates except
those issued by certain CAs (those in popular browser "root stores").
This is an example of the strategy outlined in Section 4.9).¶
Additional projects that provide some aspects of global append-only
ledgers that try to address some of the concerns described here
include [KEY-TRANSPARENCY] and [CONIKS], though they are not
specific to OpenPGP. Both of these systems are dependent on servers
operated by identity providers, however. And both offer the ability
to detect a misbehaving identity provider, but no specific enforcement
or recovery strategies against such an actor.¶
It's conceivable that a keystore could piggyback on the CT logs or
other blockchain/ledger mechanisms like [BITCOIN] to store
irrevocable pieces of data (such as revocation certificates). Further
work is needed to describe how to do this in an effective and
performant way.¶
14.2. Social Graph
Third-party certifications effectively map out some sort of social graph. A certification asserts a statement of belief by the issuer that the real-world party identified by the user ID is in control of the subject cryptographic key material. But those connections may be potentially sensitive, and some people may not want these maps built.¶
A first-party-only keyserver (Section 8.2) avoids this privacy concern because it distributes no third-party privacy concern.¶
First-party attested third-party certifications described in Section 8.4 are even more relevant edges in the social graph, because their bidirectional nature suggests that both parties are aware of each other, and see some value in mutual association.¶