Roadmap

phase 1 – super simple

Phase 1 is something basic and functional. It uses super simple discovery via https from other LEAP providers. For legacy, we attach the public key for outgoing emails.

Phase 1.5 – slight improvement

Phase 2 – proxy requests and keyservers

A much better system, although one that still relies on x.509. This phase allows for proxy requests to look up and refresh keys. This allows for the possibility of easy network perspective auditing of the user’s key by the key manager. Also, instead of attaching public key to outgoing emails, we will use legacy keyservers. The openpgp header sucks, we will come up with something better for phase 2.

Phase 3 – signed responses

Phase 3 moves away from reliance on trusting x.509.

Phase 4 – the future

Issues

phase 1

phase 2

Security Concerns

Nicknym API v2

Goal: Support for a minimal viable solution, where two users on LEAP providers always send encrypted email to each other all the time. This includes support for renewing expiring keys, and updating keys. It does not yet include support for provider endorsements of keys. So, this is still a pure TOFU model where a lot of trust is placed on the user’s provider.

URLs

Arguments:

Discussion:

LEAP providers currently are required to provide a /provider.json at the root of their domain. This is a little complicated, since the main domain for a provider might not be controlled at all by the LEAP platform. So, we generate a provider.json for them that they can copy in place, if needed. Because of this, we cannot require https://domain/.well-known/nicknym for the nickserver URL. Maybe some day, but for now it makes everything much easier if we only require providers to put the provider.json file on the domain.

Nickserver Logic

address requests

if domain in address matches nickserver's domain
  return authoritative response
else
  proxy request to foreign nickserver
end

fingerprint requests

if fingerprint is in database of user keys
  return authoritative response
else
  proxy request to SKS keyservers
end

Keymanager Logic

key update logic

query own nickserver by fingerprint
if result and key still has the right uid and fingerprint
  update key
else
  query own nickserver by address
  if result
    if key fingerprint is unchanged
      update key
    else
      apply validation rules to decide what to do with this new key

private key expiry

The key manager needs to extend the expiration of the user’s key in a timely manner, to minimize the possibility that the user has been offline and let their key lapse.

Updating the key leaks the information the user was running bitmask on the given time. So too many updates may deliver a detailed profile of what days the user is logging in.

The expiration of a key is stored in the self signature of that key. Changing the expiry does not increase the size of the key. You can pick whatever expiry you want, but doing so does update the signature on the key which includes the exact timestamp of when the signature was made (including timezone, it appears). Perhaps another reason to plan to migrate off gpg. Here is the pgpdump output:

Old: Signature Packet(tag 2)(317 bytes)
	Ver 4 - new
	Sig type - Positive certification of a User ID and Public Key packet(0x13).
	Hashed Sub: signature creation time(sub 2)(4 bytes)
		Time - Thu Aug 25 13:49:17 PDT 2016
	Hashed Sub: key expiration time(sub 9)(4 bytes)
		Time - Thu Sep 15 13:49:13 PDT 2016

Conclusions drawn from doing the following:

gpg --edit-key KEY expire
apt install pgpdump
gpg --export KEY | pgpdump
gpg --export KEY | wc --bytes
repeat

Suggestion:

Response codes

Problems

Nicknym API v3

AREA TO DRAFT IDEAS FOR THE NEXT VERSION

Abuse prevention

If we allow proxied requests, how do we prevent anyone from using the nickserver in an amplification attack?

Provider keys

Nicknym relies on provider endorsement of keys, but how do we know what provider key to trust?

For now: TOFU with permanent public key pinning

Options for the future:

Capability detection

A domain supports nicknym if:

The reason to use a different URL for detecting if nicknym is supported or not is that we don’t want to be fooled into thinking the provider doesn’t support nicknym just because the nickserver is malfunctioning or is down. By use .well-known/key-discovery we can make it a static file. Also, maybe we can add other key discovery methods in the future.

The reason to not use DNS or a different port or a different subdomain is that we don’t want to leak to a network observer what we are doing.

More on /.well-known/

Scenarios

other provider is leap provider.

Sending first email.

  1. lookup key by username from other provider

Key expired => update => nothing changed

  1. get key update from other provider, note nothing changed
  2. stop using key ?
  3. send unencrypted email ? maybe not

key expired => update => expiry prolonged

  1. get key update from other provider, notice expiry update
  2. update the key
  3. keep using the key

key revoked => no new key available

  1. lookup if new key is available
  2. if not, send unencrypted

key revoked => new key available

  1. lookup if new key is available
  2. if so, save new key
  3. send encrypted to new key

provider’s signature on key has been revoked

  1. record that provider endorsement has been revoked
  2. only singed by previous key is accepted ??? maybe not
  3. in case of lost account you need to wait for the expiration date

key unchanged => new key available

  1. do nothing, we always use existing key unless it expires or is revoked, or user manually verifies fingerprint on new key.

other provider is non-leap provider

Sending first email

  1. failing lookup key by username from other provider
  2. send unencrypted

Key expired => update => nothing changed

  1. get key update from sks, note nothing changed
  2. stop using key ?

key expired => update => expiry prolonged

  1. check key for updates
  2. update key if expiry has extended
  3. keep using key

key revoked => no new key available

  1. check key for updates
  2. if revoked, check to see if a new key is available
  3. if we can find any key that is signed by the revoked key, then register that new key.
  4. otherwise, disable the revoked key
  5. are their any keys available?
  6. if not, send unencrypted

key revoked => new key available

  1. check key for updates
  2. if revoked, check to see if a new key is available
  3. if we can find any key that is signed by the revoked key, then register that new key.
  4. otherwise, disable the revoked key
  5. are their any keys available?
  6. if yes, send encrypted

key unchanged => new key available => signed by previous key

  1. do nothing, we always keep the prior key unless expired, revoked, or superseded by manual fingerprint verification.