OK #radical idea. No signatures, no certificates. Deniable authentication between peers, and nothing else, but with relaying. If Alice sends you Bob's feed, you just blindly trust that it's Bob's feed, allowing Alice to MITM you and Bob whenever she wants. Crazy, right? Well, if you're also peering with Bob, then you can tell if Alice is lying...

Let's say you peer with Alice and Bob, and Alice sends you Claire's feed. You just blindly trust that it's Claire's feed, but then Bob also sends you Claire's feed. If Bob and Alice send you different feeds for Claire, but they also send you their own feeds, you can tell if Bob is lying about Alice's feed. If he isn't, then that's 2:0 odds he's telling the truth about Claire, with only 1:1 odds for Alice, since you can verify she lies once, tells the truth once (her own feed).

Short of an outright Sybil attack, which can be defeated by steganography or having just one single peer outside the adversary's control, you can estimate whose version of someone's feed is the legit version by looking at the odds that your known peers are telling the truth. That means you can basically get someone's feed without ever connecting to them, or verifying their identity at all. You can build trust with them, without any signatures or even authentication.

@cy Both Alice and Bob might get Claire's feed from Dave, and only Dave, who messes with it.

Signatures make it easier to mitigate against more difficult to control scenarios.

However, *authentication* can be mostly skipped either way. You can trust Claire's signature whether or not you verify that the private key is in possession of any particular individual.

@jens @cy aren't signatures and certificates already a form of deniable authentication? "i didn't sign that: somebody stole my keys".

@colin @cy Well, that's an interesting question, and it depends on your use case is the answer. Mostly no.

You can copy signed stuff and pretend it's all yours. You need some kind of authentication to break that pretense.

Usually it means the challenger generating and encrypting some data, and expecting it to be returned. Only who is in possession of the private key can do so. That's sort of the minimal authentication.

But if you're only interested in all content...

@colin @cy ... coming from the same source, and you don't care who relays it, then I suppose so.

Most forms of authentication go beyond a challenge / response cycle. They expect e.g. certificates that tie extra information about an entity to a key. Could be a user name, could be more.

You can't really trust the challenged party with this, so you need a signature from some "higher" authority. And that's what you have with TLS, and most corporate authentication.

Sign in to participate in the conversation
Finkhäuser Social

A private instance for the Finkhäuser family.