Skip to main content

Can Security Be Decentralised?

The Case of the PGP Web of Trust

  • 52 Accesses

Part of the Lecture Notes in Computer Science book series (LNCS,volume 13176)

Abstract

The PGP Web of Trust was intended to provide a decentralised trust model for digital security, an alternative to centralised security models that might be subject to government control. Drawing from five years of ethnographic research among cybersecurity engineers into the everyday practice of using the Web of Trust, I critically examine the relationship between security and trust in distributed computing systems. I employ sociological perspectives on trust to examine the distinct roles that decentralised interpersonal trust and centralised assurance structures play in ensuring security in the Web of Trust. I illustrate how the Web of Trust, although designed to evade government control, paradoxically relies upon assurances provided by government-issued documents to validate identity, even while also relying upon interpersonal trust for this purpose. Through my analysis, I offer a framework for thinking about the relationship between centralisation and decentralisation, and between trust and assurance, to ensure security in the design and operation of distributed computing systems.

Keywords

  • Trust
  • Security
  • Assurance
  • Decentralisation
  • PGP
  • Web of Trust

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-031-10183-0_4
  • Chapter length: 19 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   54.99
Price excludes VAT (USA)
  • ISBN: 978-3-031-10183-0
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   69.99
Price excludes VAT (USA)

Notes

  1. 1.

    I draw this statistic from the Ubuntu keyserver: https://keyserver.ubuntu.com/pks/lookup?op=stats.

  2. 2.

    FIRST and M3AAWG are key global cybersecurity organisations with distinct, but overlapping, missions that facilitate coordination among government and private sector cybersecurity incident response and security teams. For more information, see https://www.first.org/ and https://www.m3aawg.org/.

  3. 3.

    An alternative history suggests that public key cryptography was invented earlier at the UK’s GCHQ, but remained classified [43].

  4. 4.

    In practice, a shortened version of the message - a unique fingerprint or “hash” - is used in signatures to save on the computation required to encrypt and decrypt large messages for the purposes of authentication.

  5. 5.

    For more information, see https://www.openpgp.org/.

  6. 6.

    For a broader survey of attacks against PGP, see [25].

  7. 7.

    The OpenPGP standard provides for finer grained trust levels, from 0 to 255 [10]. However, the levels indicated here are those used in practice in OpenPGP implementations.

  8. 8.

    See the GnuPG manual for a more detailed explanation: https://gnupg.org/gph/en/manual.html#AEN335.

  9. 9.

    I do not discuss the case of contacts with trust level none, regarded as untrustworthy to sign keys. While this exceptional condition is important, my focus is on mechanisms through which connections are created, rather than explicitly rejected.

  10. 10.

    As usability studies of PGP tools have indicated [41, 47], I was far from alone in my confusion.

  11. 11.

    The organiser of the FIRST key signing party recommended this document for guidance on different ways in key signing parties may be run: https://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html.

References

  1. Abbate, J.: Inventing the Internet. MIT Press, Cambridge (1999)

    Google Scholar 

  2. Abdul-Rahman, A.: The PGP trust model. EDI-Forum J. Electron. Commerce 10(3), 27–31 (1997). https://ldlus.org/college/WOT/The_PGP_Trust_Model.pdf

  3. Adams, T.E., Ellis, C., Jones, S.H.: Autoethnography. In: The International Encyclopedia of Communication Research Methods, pp. 1–11. Wiley (2017). https://onlinelibrary.wiley.com/doi/abs/10.1002/9781118901731.iecrm0011

  4. Anderson, L.: Analytic autoethnography. J. Contemp. Ethnogr. 35(4), 373–395 (2006). https://doi.org/10.1177/0891241605280449

    CrossRef  Google Scholar 

  5. Atkins, D., Stallings, W., Zimmerman, P.: RFC 1991: PGP Message Exchange Formats (1996). https://datatracker.ietf.org/doc/html/rfc1991

  6. Barbalet, J.: A characterization of trust, and its consequences. Theory Soc. 38(4), 367–382 (2009). https://doi.org/10.1007/s11186-009-9087-3

    CrossRef  Google Scholar 

  7. Barenghi, A., Di Federico, A., Pelosi, G., Sanfilippo, S.: Challenging the trustworthiness of PGP: is the web-of-trust tear-proof? In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 429–446. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_22

    CrossRef  Google Scholar 

  8. Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, pp. 164–173, May 1996. https://doi.org/10.1109/SECPRI.1996.502679. iSSN: 1081-6011

  9. Butz, D., Besio, K.: Autoethnography. Geogr. Compass 3(5), 1660–1674 (2009). https://doi.org/10.1111/j.1749-8198.2009.00279.x

    CrossRef  Google Scholar 

  10. Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: RFC 4880: OpenPGP Message Format (2007). https://datatracker.ietf.org/doc/html/rfc4880

  11. Camp, L.J.: Designing for trust. In: Falcone, R., Barber, S., Korba, L., Singh, M. (eds.) TRUST 2002. LNCS, vol. 2631, pp. 15–29. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36609-1_3

    CrossRef  Google Scholar 

  12. Cheshire, C.: Online trust, trustworthiness, or assurance? Daedalus 140(4), 49–58 (2011). https://doi.org/10.1162/DAED_a_00114

  13. Cook, K.S., Yamagishi, T., Cheshire, C., Cooper, R., Matsuda, M., Mashima, R.: Trust building via risk taking: a cross-societal experiment. Soc. Psychol. Q. 68(2), 121–142 (2005). https://doi.org/10.1177/019027250506800202

    CrossRef  Google Scholar 

  14. Costante, E., den Hartog, J., Petkovic, M.: On-line trust perception: what really matters. In: 2011 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST), pp. 52–59, September 2011. https://doi.org/10.1109/STAST.2011.6059256. iSSN: 2325-1697

  15. Diffie, W.: The first ten years of public-key cryptography. Proc. IEEE 76(5), 560–577 (1988). https://doi.org/10.1109/5.4442

    CrossRef  Google Scholar 

  16. Ellis, C., Adams, T.E., Bochner, A.P.: Autoethnography: an overview. Hist. Soc. Res./Historische Sozialforschung 36(4), 273–290 (2011). https://www.jstor.org/stable/23032294

  17. Farrell, H.: Constructing mid-range theories of trust: the role of institutions. In: Cook, K.S., Hardin, R., Levi, M. (eds.) Whom Can We Trust? How Groups, Networks, and Institutions Make Trust Possible. Russell Sage Foundation, New York (2009)

    Google Scholar 

  18. Fukuyama, F.: Trust: The Social Virtues and the Creation of Prosperity. The Free Press, New York (1996)

    Google Scholar 

  19. Garfinkel, S.: PGP: Pretty Good Privacy. O’Reilly Media (1995)

    Google Scholar 

  20. Gellner, E.: Trust, cohesion, and the social order. In: Gambetta, D. (ed.) Trust: Making and Breaking Cooperative Relations, pp. 142–157. Basil Blackwell (1988)

    Google Scholar 

  21. Giddens, A.: The Consequences of Modernity. Stanford University Press (1990)

    Google Scholar 

  22. Granovetter, M.: The strength of weak ties: a network theory revisited. Sociol. Theory 1(1983), 201–233 (1983). https://doi.org/10.2307/202051

    CrossRef  Google Scholar 

  23. Granovetter, M.S.: The strength of weak ties. Am. J. Soc. 78(6), 1360–1380 (1973). http://www.jstor.org/stable/2776392

  24. Guttman, J.D.: Trust engineering via security protocols. In: 2012 Workshop on Socio-Technical Aspects in Security and Trust, pp. 1–2, June 2012. https://doi.org/10.1109/STAST.2012.15. iSSN: 2325-1697

  25. Halpin, H.: SoK: why Johnny can’t fix PGP standardization. In: Proceedings of the 15th International Conference on Availability, Reliability and Security, ARES 2020, pp. 1–6. Association for Computing Machinery, New York, August 2020. https://doi.org/10.1145/3407023.3407083

  26. Haraway, D.: Situated knowledges: the science question in feminism and the privilege of partial perspective. Feminist Stud. 14(3), 575–599 (1988). http://www.jstor.org/stable/3178066

  27. Hardin, R.: Trust and Trustworthiness. Russell Sage Foundation Publications (2002)

    Google Scholar 

  28. Jacobs, M.: How implicit assumptions on the nature of trust shape the understanding of the blockchain technology. Philosophy Technol. 34(3), 573–587 (2020). https://doi.org/10.1007/s13347-020-00410-x

    CrossRef  Google Scholar 

  29. Jakobsson, M.: User trust assessment: a new approach to combat deception. In: Proceedings of the 6th Workshop on Socio-Technical Aspects in Security and Trust, pp. 73–78. Association for Computing Machinery, New York, December 2016. https://doi.org/10.1145/3046055.3046063

  30. Jøsang, A.: The right type of trust for distributed systems. In: Proceedings of the 1996 Workshop on New Security Paradigms, NSPW 1996, pp. 119–131. Association for Computing Machinery, New York, September 1996. https://doi.org/10.1145/304851.304877

  31. Lave, J.: Apprenticeship in Critical Ethnographic Practice. University of Chicago Press (2011)

    Google Scholar 

  32. Lewis, J.D., Weigert, A.: Trust as a social reality. Soc. Forces 63(4), 967–985 (1985). https://doi.org/10.2307/2578601

    CrossRef  Google Scholar 

  33. Luhmann, N.: Trust and Power. Wiley (1979)

    Google Scholar 

  34. Luhmann, N.: Familiarity, confidence, trust: problems and alternatives. In: Gambetta, D. (ed.) Trust: Making and Breaking Cooperative Relations, pp. 94–107. Basil Blackwell (1988)

    Google Scholar 

  35. Marcus, G.E.: Ethnography in/of the world system: the emergence of multi-sited ethnography. Ann. Rev. Anthropol. 24, 95–117 (1995). http://arjournals.annualreviews.org/doi/abs/10.1146/annurev.an.24.100195.000523

  36. Möllering, G.: The nature of trust: from Georg Simmel to a theory of expectation, interpretation and suspension. Sociology 35(2), 403–420 (2001)

    CrossRef  Google Scholar 

  37. Nemec, M., Sys, M., Svenda, P., Klinec, D., Matyas, V.: The return of coppersmith’s attack: practical factorization of widely used RSA moduli. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1631–1648. Association for Computing Machinery, New York, October 2017. https://doi.org/10.1145/3133956.3133969

  38. Nickel, P.J., Franssen, M., Kroes, P.: Can we make sense of the notion of trustworthy technology? Knowl. Technol. Policy 23(3–4), 429–444 (2010). https://doi.org/10.1007/s12130-010-9124-6

    CrossRef  Google Scholar 

  39. Nissenbaum, H.: Will security enhance trust online, or supplant it? In: Roderick, K.M., Cook, K.S. (eds.) Trust and Distrust in Organizations: Dilemmas and Approaches, pp. 155–188. Russell Sage Foundation Publications (2004). http://www.nyu.edu/projects/nissenbaum/papers/trust.pdf

  40. Putnam, R.: The prosperous community: social capital and public life. Am. Prospect (2001). https://prospect.org/api/content/27753724-6757-5e80-925d-9542fc7ad4cb/

  41. Ruoti, S., Andersen, J., Zappala, D., Seamons, K.: Why Johnny still, still can’t encrypt: evaluating the usability of a modern PGP client. arXiv:1510.08555 [cs], January 2016. http://arxiv.org/abs/1510.08555. arXiv: 1510.08555

  42. Schneider, F.B. (ed.): Trust in Cyberspace. The National Academies Press, Washington, D.C. (1999)

    Google Scholar 

  43. Singh, S.: The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography. Anchor Books, New York (2000)

    Google Scholar 

  44. Twigg, A., Dimmock, N.: Attack-resistance of computational trust models. In: WET ICE 2003. Proceedings. Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, pp. 275–280, June 2003. https://doi.org/10.1109/ENABL.2003.1231420. iSSN: 1080-1383

  45. Ulrich, A., Holz, R., Hauck, P., Carle, G.: Investigating the OpenPGP web of trust. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 489–507. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_27

    CrossRef  Google Scholar 

  46. Vidiasova, L., Kabanov, Y.: Online trust and ICTs usage: findings from St. Petersburg, Russia. In: Proceedings of the 13th International Conference on Theory and Practice of Electronic Governance, ICEGOV 2020, pp. 847–850. Association for Computing Machinery, New York, September 2020. https://doi.org/10.1145/3428502.3428637

  47. Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: Proceedings of the 8th USENIX Security Symposium, pp. 169–183 (1999)

    Google Scholar 

  48. Yamagishi, T., Yamagishi, M.: Trust and commitment in the United States and Japan. Motiv. Emot. 18(2), 129–166 (1994)

    CrossRef  Google Scholar 

  49. Ziegler, C.N., Lausen, G.: Spreading activation models for trust propagation. In: IEEE International Conference on e-Technology, e-Commerce and e-Service, EEE 2004, pp. 83–97, March 2004. https://doi.org/10.1109/EEE.2004.1287293

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Ashwin J. Mathew .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Mathew, A.J. (2022). Can Security Be Decentralised?. In: Parkin, S., Viganò, L. (eds) Socio-Technical Aspects in Security. STAST 2021. Lecture Notes in Computer Science, vol 13176. Springer, Cham. https://doi.org/10.1007/978-3-031-10183-0_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-10183-0_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-10182-3

  • Online ISBN: 978-3-031-10183-0

  • eBook Packages: Computer ScienceComputer Science (R0)