Revision [2228]
This is an old revision of WebOfTrust made by BrianKoontz on 2010-12-12 03:41:27.
Establishing a "web of trust" for OpenNIC servers
There is currently no way to determine the integrity of an OpenNIC server other than through interpersonal relationships, or knowledge of the OpenNIC principals that hold a high level of trust in the OpenNIC community. With the influx of people volunteering their services to run Tier 2 servers, it is becoming difficult to keep up with which servers are trusted, and which are untrusted. ("Untrusted" in this sense doesn't mean "not trusted," but rather "not enough information available to trust".) New members often ask how they know a certain Tier 2 server can be "trusted." There is probably not a deterministic answer to this. However, I believe we can use and leverage off the "web of trust" model that GPG uses to determine the level of trust one might give to a particular user's public key (i.e., "How sure am I that this key actually belongs to the user I think it belongs to?").
Before I go further, a disclaimer: I am not a cryptographer, nor am I an expert in public key infrastructure. That said, I do read a lot on the topic, and implement several levels of encryption in my own activities, so I encourage you to do the same. This is not a GPG or PKI primer. There are folks much more knowledgeable than I who have written some very good how-tos on this topic. A good place to start would be The GNU Privacy Handbook.
Who do we trust?
The first step to implementing a web of trust is to determine who we trust enough to "anchor" our web of trust. Everybody trusts themselves. But do you trust the person I might put forward as an appropriate anchor? To trust in my decision, you would have to either (1) know me personally and trust me, or (2) know me by reputation and trust that reputation. The weakest link in any web of trust will be the anchor. If the anchor turns out to be untrusted, then any relationships between the anchor and others are immediately suspect.
It's important to establish one or more anchors that are impeccable in terms of trust. I trust the Dalai Lama, and I imagine a large number of people trust him as well, but I doubt he has the time to devote to OpenNIC given all of the other causes in which he engages. So the Dalai Lama would be a great anchor, but probably not a feasible anchor.
Some of us have been with OpenNIC since the "start". (Many probably don't know that OpenNIC has been around for 10 years, but that there was also an OpenNIC "resurrection" a few years ago that many consider to be the "start".) Personally, if I am going to be involved in an organization, I'm going to have a certain level of trust in the people who are considered the principals of that organization. It might be a high level or a low level of trust, but it's a known quantity that can be determined only at the individual level. For instance, I partake of many Google services...but I don't necessarily have a high level of trust for the Google management team. OTOH, I participate in OpenNIC, and I happen to have a very high level of trust in Julian DeMarchi, who worked with me to help bring OpenNIC back to life.
Based on that high level of trust, I personally would have no problem establishing Julian's credentials as the "anchor" for the web of trust. While I've never met Julian personally, he and I have worked closely together the last 5 years; he has root access to some of my servers, and I have root access to some of his (and let's face it, no higher badge of honor exists than to give someone root access to your Unix server!). It's possible he's an FBI plant, and that I've been misled this entire time. But there are enough indications over 5 years of working with Julian that I'm personally satisfied that Julian is who he says he is, and that he's a person to be trusted.
Others will have to undertake similar introspection to determine who in the OpenNIC organization they trust. If you don't trust Julian, and he's the anchor for our web of trust, then the web of trust will be of no use to you. But then again, if you don't trust Julian, it's highly unlikely you'll find OpenNIC a trustworthy source for your DNS needs.
How do we trust?
Without getting into a lot of cryptological details better handled by experts in the field, most people have the ability to develop a "gut feel" for a person. Is this person someone I trust? Would I trust him with my wife (or her with my husband)? Would I trust him to watch my house? Would I trust him to handle my finances? Since the vast majority of OpenNIC interactions occur virtually, most of us will never have the opportunity to meet other OpenNIC members in person. And it would be unlikely that end users of our services would want to go out of their way to meet the server op for the Tier 2 they want to use. Likewise, most server ops have no desire (nor need) to personally meet with end users to exchange trust credentials (whether that would be in the form of handshakes, conversation, or an exhange of driver's licenses).
To positively identify an individual, security experts tell us that you need to verify two of three factors:
- Something a person has (ownership factor)
- Something a person knows (knowledge factor)
- Something a person is or does (inherence factor)
A Tier 2 operator must be willing to provide to a suspicious end user one or more artifacts that satisfy the requirements above before the end user can be sure that the person they are dealing with is, in fact, who they think they are dealing with. Regarding OpenNIC, there is an added level of complexity: A relationship exists between an individual and the server that he or she operates. An end user might not be satisfied with trusting a server's operator, but she might also demand some way to determine if the server itself can be trusted.
Servers can be comprised. Even if one established, with 100% certainty, that an individual runs a given server, there is always the uncertainty that the server itself might have been compromised. IOW, how does one know that the data being served up by a specific server is, in fact, authoritative and accurate? Unfortunately, this discussion wanders off into the domain of DNSSEC and other authentication schemes, and will not be addressed here. To move further, one will have to assume that a server is at any given time serving up authoritative and accurate query replies.
So there are two subquestions that need to be answered: (1) How do I establish trust with an individual? (2) How do I verify the relationship between an individual and the server she purports to operate?
