PGP vs hyper-data Web of Trust

Prof Bryan Ford of EPFL asked the following question:

I know Bryan Ford for his 2002 work on Delegative Democracy. He is now Professor at EPFL in Switzerland, leading the Decentralized/Distributed Systems group, and has done some very innovative work on the blockchain, speeding transaction time up by a factor of 1000 with collective signing. I very much appreciate him bringing this question up which is very likely on the mind of many people in the security space, given the importance historically of PGP.

Here I answer the question as to what the difference between what we propose and the PGP web of trust is. The other part of the question is to look seriously at why the PGP web of trust failed to be as sucessful as needed, which I look at in another post.

The PGP signature based Web of Trust

PGP used the concept of a web of trust and so do we. With PGP I can create a (self-signed) certificate and have it signed by many of my friends, and they in turn could have their certificates signed by their friends, which if one were to draw these out as arrows between nodes each identifying a person, would form a graph, which they called The Web of Trust. Our proposal is to actually use the hyper-linked nature of the World Wide Web to create a web of trust through linking, and leave the cryptography to other layers.
This merging of layers lead to PGP never being adopted as widely as its proponents needed it to be, namely something one could rely on one interlocutor having. This was partly due to the requirement for two people to be in each other’s presence to sign the certificate, the problem of keeping private keys safe when needing to use them across devices, partly because PGP certificates can not be changed or updated easily and since the information they contain had to be public, this lead to the certificates containing very little information.

As the proposal we are putting forward is bridging a lot of fields many of them orthogonal to each other, questions are vital to help me know where I need to improve my explanation and dig deeper. Indeed, the whole difficulty of this proposal may very well be related to the fact that each of the tools I am suggesting be used — TLS, DNS-SEC, DANE, Semantic Web, HTTP, Browser UI design, … — are all very well designed and so mostly orthogonal to each other, resulting in few specialists needing to knowing many of them. But epistemology like security knows no disciplinary boundaries, and to be secure one very much has to have a synthetic overview of all the tools available, and know how to use them.

1. Background

For the record, I have answered questions relating to PGP in a couple of places before:

• in 2009 on my Sun Microsystems Blog (now on archive.org) as to how PGP keysigning was related to foaf+ssl — foaf+ssl is now known as WebID (see specs on the W3C web site). But this proposal is much lighter in that it would not require WebID authenticaion over TLS. Instead it need only make use of the much more minimal WebID 1.0 — Web Identity and Discovery, where instead of a WebID identifying a Person it could identify an institution.
• on the W3C Foaf+SSL FAQ wiki page, in the section How does this improve over X.509 or GPG Certificates? This is also mostly foaf+ssl related.

2. The Differences

Both of those posts do make points that can be re-used here to greater effect, since this proposal is actually simpler than the WebID-TLS one. Here are the major reasons why an institutional web of trust based on hyper-data is very different from a PGP web of trust:

1. PGP ties cryptography to the identity of the user, whereas in this proposal both are orthogonal. With PGP, the user must use his private key to sign or decrypt messages sent to him. We here rely on the TLS and DNS-SEC infrastructure to authenticate the servers and so the URL’s served by that server. (Note: I mention those protocols here because they are widely known and deployed, but I don’t exclude possible improvements to those layers such as a DNS replacement built on a blockchain). TLS implementations have become a lot more efficient over time, they are now widely deployed, and the pushback and skepticism that was still around in 2008 has now mostly dissipated.
2. We dissociate the semantics from the format: PGP has a hard coded format and limited vocabulary for describing a person. RDF is a framework for describing any kind of data in a syntax independent way:
   • There are syntaxes for it in XML, HTML (RDFa), JSON-LD, and an easy one to type: Turtle.
   • One can easily extend the vocabularies in a decentralised manner, so that if a whole new sector of activity comes up, it will be easy to coin a new URI and tie it to an older concept by expressing that the new concept is a subclass of an older higher level one, in such a way that old browsers will be able to keep working gracefully.
3. Because the proposal is initially for a decentralised system, not a distributed one, and because we use a hyper-data framework, based on URLs, we can allow content to change over time. So Companies House can change the name of the owner of a company, filing time, pending court cases, or any other information that could be relevant in the Company Profile document, without the web server certificates needing to be changed. On the other hand because a PGP record is not a resource that can change over time, but a document that is fixed, indeed signed bit for bit, changing the document is impossible. This may seem more secure, but it actually is not. Because since people and companies change, one then needs to build a way to version signed documents, and have a method for deciding (automatically) which future signed document is the next version of the old one.

The lower part of this image illustrates a social network based on hyper-data documents that link up together. The description about each individual is located in it’s own profile at the location given by the URI. (Notice that each of these documents is on a different domain). If a WebID were to appear in a TLS certificate or a DNS-SEC record the description of each individual and his social network could change by changing the documents without having to change the certificates. In the institutional web of trust proposal the identifier would identify an institution instead of a person, where we think of both as instances of an Agent.

In short the main difference is that an HTTP resource is a stream of documents that can change over time — and so can be described co-algebraically — whereas a PGP key is a document and so can best be described algebraically. (Indeed in my thesis I have started arguing that the web is actually bialgebraic.) Now it is an ancient truth going up to Heraclitus that everything changes and that “No man ever steps in the same River Twice”. Those who favor algebraically signed documents do so because they worry about change. We instead rely on human institutions to give us the needed reliability and use a just in time encryption method built into TLS. We allow institutions to make decisions about which future version of a document is the authoritative one (by publishing them at URLs they control), and we allow courts of law to be used to question such decisions. In an approach which does not trust institutions, one then needs a consensus protocol to come to a decision as to what the next version of a document is going to be, which can be very expensive in terms of energy, brittle, and perhaps not needed for this use case, since the institutions and the courts of law, are all here already and should not be automated away. Indeed we are describing institutions, and our claim is that the problem of fake news, fake shops etc is related to people not being able to reliably recognise institutions on the current web.