[Standards] Some thoughts on possible OMEMO trust models

Jonas Wielicki jonas at wielicki.name
Mon Feb 20 06:50:09 UTC 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi!

On Sonntag, 19. Februar 2017 22:32:00 CET Vanitas Vitae wrote:
> As part of my bachelor thesis 

Cool!

> I thought about future development of the OMEMO protocol extension 
> (xep-0384).

I haven’t looked into OMEMO yet myself, but I think I can nevertheless provide 
some input.

> [… current situation and issues …]

> Variant I:
> Let's assume, I use device A and trusted some contact devices.
> What I could do is:
> * Whenever I trust a device "a" on my device A, I sign the fingerprint
> of "a"'s identity key with my own identity key and upload the signature
> to a private pubsub node (lets call it the "trust-node-A").
> * When I start to use a new device B, I can fetch the contents of A's
> trust-node. When I decide on B, that I trust device A, I can check all
> the signatures in A's trust-node and automatically  have transitive
> trust all devices trusted by A.

Sounds elegant-ish.

> The downside of this is, that there is a "trust gradient", meaning that
> older devices are higher up in the trust hierarchy than newer ones (what
> happens, when you lose device A?) Also distrusting devices might be a
> problem:
> For distrusting a device, we could sign not only the fingerprint of the
> device, but also a state indicator like "trust:FINGERPRINT"
> (trust-proof) or "distrust:FINGERPRINT" (distrust-proof). That way,
> devices could automatically ignore/delete trust-proofs, when there is
> one or more distrust-proof.

This is probably akin to the GPG model of trust. The gradient is not 
neccessarily a bad thing, but if that’s of concern, mirroring the trust 
signatures of another device (once or like a master-master replication) with 
the own device key should be no problem.

> Possible problem: What happens when an attacker distrusts all your
> devices or creates paradox trust decisions? 

Hold on, what kind of attacker? Please state an attacker model here: what can 
the attacker do, where does it sit in the grand scheme of things?

A server-level attacker should not be able to add trust between devices (only 
remove it by breaking the signatures or removing items or nodes from the 
pubsub).

Likewise, a device-level attacker should not be able to add trust between 
devices other than the device it is controlling. Again, removal is possible 
via PubSub.

> Eg. assume we have devices
> A,B,C. A trusts B, B trusts C, C trusts A.
> B distrusts A, C distrusts B, A distrusts C. How to resolve? You might
> decide by counting, which device is trusted/distrusted by the majority
> of device, but that would defeat the purpose of the whole system, since
> again trust decisions must be made on each device. Is there something
> useful for this in the OpenPGP-World?

That might be worth looking into (how GPG handles conflicting trust statements 
of equally trusted keys). A very simple solution (depending on the attacker, 
I’m not quite sure which scenario you have in mind) would be to state an error 
in that situation and let the user fix it manually.


> Variant II:
> This could be handy for IoT and is less complicated (I hope :D).
> Since IoT devices often do not have an easy to use interface for
> configuration, it might be a hassle to do trust decisions on them (which
> other devices should be trusted).
> To improve this, we might add a master-device, so each device only must
> trust the master. The master decides, which devices are trusted by
> signing their identity keys and publishing the signature on the
> trust-node. Each thing looks up the trust-node to decide, which other
> things to trust. When a device is not in the trust node, it must be
> distrusted.
> (I don't know, how IoT is done with xmpp. In this model, all things have
> the same jid. I don't know, whether this is also possible with unique
> jids for each thing.)

I think normally you’d have unique jids for each thing.

But this should be possible to do, if you go with Variant I and simply make 
the pubsub node optionally readable to other users (not only for your own). 
This enables a Web-of-Trusty-Usage, from which the IoT devices can benefit (by 
trusting all keys their owner trusts, obtained via the PubSub node of their 
owner).


Interesting topic for sure, will follow the discussions!

Good luck,
Jonas
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEG/EPV+Xzd5wEoQQIwGIDJZdiWIoFAliqkaEACgkQwGIDJZdi
WIoUYA/8CMj71N5Svee15tRqYD2OQH8SKh+iyY6BRdoBAZIeFj6492JVIuTWmty6
MYDdHCSMBkGi+071UPrAzqrhmQWGc0ZeZ+vF5A+DgmSlzkH/YKd0/qsmmsHrAM7B
wg01mImErkLoDDOZJGIITlm8BRGB2rq4OeIG/UvOYyt8nlapm0TcH24hHmFOvffv
KhYOmT4A4XUmlxhkJiEegDhfcupF1zFAekO/lUl8az++EQ7xnPgQmVE3qarY76PW
VK0N5CkqAeJnYVQZXug77RUwmY1hlQEHx7KddrccAeSlbRMyWAwoioP2fYaCu6U+
5ixOzxbB5dQ+pHjM3LZWD80lyBhfJopnPr8qXzJiL492YGG7jH50qQjTyDy68Xur
krgF0z5ikJOzlImPLSQ7gYUngreIrw5ndDDjZ4pxXOVM9jDOkI4PxBD945FVcLL0
88kBVFhO1aYkPNok5Snozkg7in9zM0rPoD0985bUcUFge4mNt2FBBvv/PrShebLb
N4/MgggpCOXyUhAOhTwvXOsj6kZZ7YACh5gAxUSjLv9Ou9KdwHX2ZZxbAN5DAWP6
G+vvApaUl3ywuJDbCsHiH9KK+ZTM7XIqI6kO+96SxkdjGx/3XfMNV5Lm4MWSoTIS
2M29Xe5gztWspJg9ivJV1Xb/4R9vjy+Pu4zzj0ofiTY9kwQyKzw=
=D18N
-----END PGP SIGNATURE-----



More information about the Standards mailing list