Notable Public Keys book

Created by Steven Baltakatei Sandoval on 2021-07-19T22:52Z under a CC BY-SA 4.0 license and last updated on 2021-07-20T02:09Z.

Summary

I decided to write a book with some notes I have been keeping regarding public keys I have spent some time verifying over the years for my own purposes.

Current use of public key cryptography

Keyservers such as keys.openpgp.org permit automated distribution of public keys. Some key owners attest to the identity of other key owners by means of digital signatures attached to each others' public keys. However, some esoteric technical expertise is required to examine this machine-readable signature data.

In response, services such as keybase.io have appeared that offer to take care of these details, letting people manage their online identities through a web user interface. By default, a user's PGP public key fingerprint is displayed prominently on a user's profile page. With these keys, Keybase offers people services such as end-to-end encrypted messaging that do not require Keybase to be able to see the contents of the messages.

Other services such Signal go a step futher and don't even require the user to even know what a public key is. End-to-end encryption is used using public key cryptography but with user identity details determined through SMS confirmations. Fingerprint comparisons for each encrypted conversation are instead an optional feature called a "Safety Number" which a user may or may not choose to verify.

In the interest of achieving cryptography "at scale", these systems (keys.openpgp.org, keybase.io, signal.org) store information about which keys are to be trusted in machine-readable format. Signal users can form their own networks of trusts by instructing their phones to trust other users' phones through Safety Number information. Keybase users can do likewise with Keybase servers or Keybase software running on their devices. In each of these situations, a machine manages trust information according to human decisions.

A case not covered by existing software

There is a subtle assumption that the user has a close enough relationship with another user to be able to rationally decide to codify that relationship. This is no hurdle for Tom who uses Signal with his siblings since he likely is familiar with their idiosyncratic behaviors. However, what if Tom received a news story from his sibling Jess about serious allegations of criminal acts of Tom's favorite politician that he votes for? The news story was written by a reporter Tom has never heard of. Since Tom's voting behavior is at stake, he will want to examine the provenance of these allegations, perhaps starting with the reputation of the reporter. While Tom may be able to trust that the news story did come from Jess thanks to Signal, even if the reporter used Signal, they would likely be unable to respond to individual questions from many interested people such as Tom.

There is an imbalance between the need of the many to verify and the need of the popular to prove. Typically, this imbalance is partially satisfied by use of Transport Layer Security (TLS) and public keys known as "certificates" stored in popular web browsers; this is the "green lockbox" icon seen at the top of browsers. As of 2021, web sites lacking valid certificates trigger some form of warning to the user (e.g. a warning page or a red cross icon near the browser's address bar). TLS used by the news story's parent site would give Tom a handhold in his task to verify the reporter's reputation. He could at least trust the integrity of other works by the reporter, allowing him to build up a story about who this reporter really is and what they really know.

It is this need to construct an internally consistent and plausible "story" that I identified as a need that apps such as Keybase and Signal do not readily fulfill. The situation Tom finds himself in is similar to situations I often find myself in. I wish to fulfill my civic duty by understanding political candidates so I can vote for the best one. I wish to protect my devices against malware by understanding the provenance of different software packages available and installing the best one. In both of these situations I find myself assembling notes about the identities of notable individuals. And since I live in an era where public key cryptography exists, I find myself buliding stories around public keys.

Stories about public keys

Over time I have accumulated notes and memories identifying the public keys used by entities whose works I use. Last week I decided to assemble the content of these notes into the form of a TeXmacs book. Yesterday I composed three sections of a book I am assembling in One section was about keys used to sign executable binaries of the reference implementation of the Bitcoin protocol, Bitcoin Core. Another section was about the key GitHub uses to automatically sign commits made using its web interface. The third section was of a key used to sign SD card images of RaspiBlitz, a software package I am testing for running a Lightning Node for Bitcoin microtransactions. The book relies heavily on the Internet Achive's Wayback Machine for hosting long-term links to webpages that serve as evidence for my claims.

Other subjects I have in mind to write future sections about inculde:

  • Tails - A privacy-focused operating system based on Debian.
  • Debian - A GNU/Linux distribution from which several notable distributions are derived (e.g. Tails, Ubuntu).
  • New York Times - A notable newspaper that accepts confidential tips via PGP-encrypted email, Signal, and WhatsApp.
  • Veracrypt - Encryption software. Successor to Truecrypt.
  • Tor Browser - Private web browser.
  • F-Droid - An open-source android software repository.

If browser certificates and esoteric gpg commands are on one end of a spectrum, this book is at the opposite end. Keyserver data is machine-readable; this book is meant to be human-readable. A signature packet on a PGP key is not designed to note political rivalries between cryptocurrency forks. Conflict makes human stories more interesting. Plenty of news articles and social media posts exist that mention individuals who own public keys but I am not aware of a publication that attempts to focus on identifying public keys with prose.

Conclusion

I'm writing a book containing my notes to help people identify public keys of notable entities. I'm doing this because I want to offer an alternative, however small, to machine-oriented methods. Also, I have been collecting these notes anyway for myself so I may as well help others while I am at it.

I'm mirroring the source for the book to GitLab.