[Standards] Some thoughts on possible OMEMO trust models

Vanitas Vitae vanitasvitae at riseup.net
Sun Feb 19 21:32:00 UTC 2017


As part of my bachelor thesis I thought about future development of the
OMEMO protocol extension (xep-0384).

Some downsides of the current OMEMO usage are:
* Whenever I add a new OMEMO device, I have to redo trust decisions for
each device of all my contacts.
* Whenever a contact adds a new OMEMO device, I have to do a trust
decision on every one of my devices.
* Whenever I revoke one of my devices, I have to inform all of my
contacts and everyone has to manually distrust the device
* Whenever a contact revokes a device, I have to distrust it on every
one of my devices.

(The third and fourth point might be invalid, because the one that
revokes their device can clear all active devices and also change their
xmpp accounts password, preventing the stolen/lost device to log in and
become active again)

So currently it is very annoying to keep trust synchronized across all
devices. This also makes OMEMO poorly usable for IoT, since most IoT
devices have no usable interface to make trust decisions.

I thought a little about it and here is what I came up with. Variant I
contains some ideas for some kind of web-of-trust for eg. chat devices
that have a usable configuration interface.
Variant II could be used for IoT devices with poor configuration interfaces.

Variant I:
Let's assume, I use device A and trusted some contact devices.
What I could do is:
* Whenever I trust a device "a" on my device A, I sign the fingerprint
of "a"'s identity key with my own identity key and upload the signature
to a private pubsub node (lets call it the "trust-node-A").
* When I start to use a new device B, I can fetch the contents of A's
trust-node. When I decide on B, that I trust device A, I can check all
the signatures in A's trust-node and automatically  have transitive
trust all devices trusted by A.

The downside of this is, that there is a "trust gradient", meaning that
older devices are higher up in the trust hierarchy than newer ones (what
happens, when you lose device A?) Also distrusting devices might be a
For distrusting a device, we could sign not only the fingerprint of the
device, but also a state indicator like "trust:FINGERPRINT"
(trust-proof) or "distrust:FINGERPRINT" (distrust-proof). That way,
devices could automatically ignore/delete trust-proofs, when there is
one or more distrust-proof.
Possible problem: What happens when an attacker distrusts all your
devices or creates paradox trust decisions? Eg. assume we have devices
A,B,C. A trusts B, B trusts C, C trusts A.
B distrusts A, C distrusts B, A distrusts C. How to resolve? You might
decide by counting, which device is trusted/distrusted by the majority
of device, but that would defeat the purpose of the whole system, since
again trust decisions must be made on each device. Is there something
useful for this in the OpenPGP-World?

It would be easier to have a single trust-node, that simply contains a
trust-proof for trusted devices and/or a distrust-proof for untrusted
devices. That way paradox situations are impossible.
Unfortunately it is not possible (or is it?) to use a single trust-node,
since we do not have a signature key that is shared between all devices.

Variant II:
This could be handy for IoT and is less complicated (I hope :D).
Since IoT devices often do not have an easy to use interface for
configuration, it might be a hassle to do trust decisions on them (which
other devices should be trusted).
To improve this, we might add a master-device, so each device only must
trust the master. The master decides, which devices are trusted by
signing their identity keys and publishing the signature on the
trust-node. Each thing looks up the trust-node to decide, which other
things to trust. When a device is not in the trust node, it must be
(I don't know, how IoT is done with xmpp. In this model, all things have
the same jid. I don't know, whether this is also possible with unique
jids for each thing.)

You might as well create different trust-nodes for different "groups" of
devices. That way you could group devices together. When a device
fetches the trust-nodes, it has to trust only those devices, that it is
in a group with together and distrust all devices that it does not share
a group with.

So what do you think of this?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20170219/04cc8064/attachment.sig>

More information about the Standards mailing list