Integration into Enigmail for GPG keys

domob
Posts: 1129
Joined: Mon Jun 24, 2013 11:27 am
Contact:

Integration into Enigmail for GPG keys

Post by domob »

Let's start the first topic in this new section. ;) I'd love to make Namecoin-based verification of GPG keys happen, as I'm still believing that Namecoin can be the "final" solution to the problem of secure and trusted exchange of public keys (much like it solves the CA problem for TLS). Since I'm a user of Enigmail myself and believe it is quite widely used and a very good UI front-end to GPG, I would be very interested in adding Namecoin-support to Enigmail. IMHO, this is a better place than the GPG core itself. I asked on their mailing list what they think about it: https://lists.enigmail.net/pipermail/en ... 01385.html
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Integration into Enigmail for GPG keys

Post by biolizard89 »

domob wrote:Let's start the first topic in this new section. ;) I'd love to make Namecoin-based verification of GPG keys happen, as I'm still believing that Namecoin can be the "final" solution to the problem of secure and trusted exchange of public keys (much like it solves the CA problem for TLS). Since I'm a user of Enigmail myself and believe it is quite widely used and a very good UI front-end to GPG, I would be very interested in adding Namecoin-support to Enigmail. IMHO, this is a better place than the GPG core itself. I asked on their mailing list what they think about it: https://lists.enigmail.net/pipermail/en ... 01385.html
Sounds like a good project.

I'm getting a TLS error when I visit that link, and removing the "s" yields what looks like a control panel login page. Is something wrong?
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

domob
Posts: 1129
Joined: Mon Jun 24, 2013 11:27 am
Contact:

Re: Integration into Enigmail for GPG keys

Post by domob »

biolizard89 wrote:I'm getting a TLS error when I visit that link, and removing the "s" yields what looks like a control panel login page. Is something wrong?
It seems their mailing list is run by hostpoint.ch but they point their own domain there. So you get a certificate for hostpoint.ch, but if you accept it, it should work.
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Integration into Enigmail for GPG keys

Post by biolizard89 »

domob wrote:
biolizard89 wrote:I'm getting a TLS error when I visit that link, and removing the "s" yields what looks like a control panel login page. Is something wrong?
It seems their mailing list is run by hostpoint.ch but they point their own domain there. So you get a certificate for hostpoint.ch, but if you accept it, it should work.
I'm sufficiently paranoid that I prefer not to override TLS warnings... any chance you can copy the linked message into this thread so that people can view it without clicking the link?
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

domob
Posts: 1129
Joined: Mon Jun 24, 2013 11:27 am
Contact:

Re: Integration into Enigmail for GPG keys

Post by domob »

Yeah, no problem (but then I presume we should really fix the namecoin.info TLS issues soon, not to say that I didn't consider this urgent previously):

Hi all!

As I understand it, the key ingredient into a secure encrypted messaging
system is a trusted exchange of public keys. GPG and Enigmail solve
this at the moment using a WoT with key signatures and manual
fingerprint exchange and comparison.

I really believe that Namecoin [1] has the potential to improve this.
If you have not yet heard about it, Namecoin is a system based on
Bitcoins consensus technology that allows a secure, trusted and fully
decentralised key-value storage. In particular, it can be used to
associate human-readable online identity names with things such as,
among others, GPG key fingerprints. See also [2] and my own identity
shown at this page at [3]. It is cryptographically ensured that only
the owner of a given name is able to change the name's associated value.

[1] http://namecoin.info/
[2] https://nameid.org/
[3] https://nameid.org/?name=domob

In other words, if someone stores their GPG key fingerprint with their
online identity, then they can tell others just their name instead of
the key fingerprint for a secure key exchange. I. e., "domob" instead
of 0x04F7CF52 in my case -- which is much easier to remember for an
acquaintance of yours.

Namecoin identities are described a bit on [4], although the part about
GPG fingerprints is unfortunately not yet added to this page (but
there's a proposed spec for it already).

[4] https://github.com/namecoin/wiki/wiki/Identity

I've already implemented a similar key exchange system for Bitmessage
addresses as well as a proof-of-concept fork of pidgin-otr that allows
Namecoin to be used to verify OTR chat partners. I'm interested in
doing the same for GPG and believe that Enigmail (and not the GPG core)
would be the best place to add this feature.

What do you think about this idea? Would you be open to accepting a
patch that implements (fully optional, of course!) Namecoin-based GPG
fingerprint verification? If yes, I would love to discuss how to
integrate it best into the UI and work on it.

I'm really looking forward to comments on this idea! Yours,
Daniel
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Integration into Enigmail for GPG keys

Post by biolizard89 »

Nice.

(And yes, namecoin.info TLS needs to be fixed.)
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

domob
Posts: 1129
Joined: Mon Jun 24, 2013 11:27 am
Contact:

Re: Integration into Enigmail for GPG keys

Post by domob »

Another reply was this:
There's a serious bootstrapping problem here.

Enigmail's mission statement: "We provide a convenient front-end to GnuPG's OpenPGP functionality. No more and no less."

GnuPG's mission statement: "We provide implementations of OpenPGP (RFC4880) and S/MIME (RFC5721). No more and no less."

I don't know enough about Namecoin to talk intelligently about it. However, until Namecoin becomes a part of either RFC4880 or RFC5721, it is unlikely to be supported within either GnuPG or Enigmail.

The best way to proceed, I think, would be to set up a keyserver that could interact with a Namecoin back-end and communicate over the existing HKP protocol. If you can get people using Namecoin through a shim like that, then over time you might be able to get people to use Namecoin directly.
It seems as if this person (not sure who he is and how official this opinion is) doesn't see Namecoin support for Enigmail, not even as a small "extra feature" over being only a front-end for GnuPG. I'm not really sure how the suggestion with a key server should work, but it sounds like being both overcomplicated and centralised, so not trust-free (but the server could be set up locally, then it is only overcomplicated).

Maybe we could still try to become a part of OpenPGP, which would totally rock of course but seems unrealistic to me at the moment. Does anyone here know how IETF standardisation works and how difficult it is to become part of an RFC? In principle, we could even try to propose our own draft/RFC for Namecoin related things like, for instance, NameID login or this PGP integration. Do you think this is a good idea or just a waste of time? In principle, the standard need not even be Namecoin-specific but could be based on an abstract decentralised name-value storage agnostic of the underlying system details. Maybe this would help to get acceptance.
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Integration into Enigmail for GPG keys

Post by biolizard89 »

domob wrote:Another reply was this:
There's a serious bootstrapping problem here.

Enigmail's mission statement: "We provide a convenient front-end to GnuPG's OpenPGP functionality. No more and no less."

GnuPG's mission statement: "We provide implementations of OpenPGP (RFC4880) and S/MIME (RFC5721). No more and no less."

I don't know enough about Namecoin to talk intelligently about it. However, until Namecoin becomes a part of either RFC4880 or RFC5721, it is unlikely to be supported within either GnuPG or Enigmail.

The best way to proceed, I think, would be to set up a keyserver that could interact with a Namecoin back-end and communicate over the existing HKP protocol. If you can get people using Namecoin through a shim like that, then over time you might be able to get people to use Namecoin directly.
It seems as if this person (not sure who he is and how official this opinion is) doesn't see Namecoin support for Enigmail, not even as a small "extra feature" over being only a front-end for GnuPG. I'm not really sure how the suggestion with a key server should work, but it sounds like being both overcomplicated and centralised, so not trust-free (but the server could be set up locally, then it is only overcomplicated).

Maybe we could still try to become a part of OpenPGP, which would totally rock of course but seems unrealistic to me at the moment. Does anyone here know how IETF standardisation works and how difficult it is to become part of an RFC? In principle, we could even try to propose our own draft/RFC for Namecoin related things like, for instance, NameID login or this PGP integration. Do you think this is a good idea or just a waste of time? In principle, the standard need not even be Namecoin-specific but could be based on an abstract decentralised name-value storage agnostic of the underlying system details. Maybe this would help to get acceptance.
How extensible is Enigmail? Could a secondary Thunderbird extension just hook some Enigmail routines and do what we want without modifying Enigmail?

Standardization in IETF might be interesting but I don't see it happening soon (although I haven't given much thought to the matter).
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

domob
Posts: 1129
Joined: Mon Jun 24, 2013 11:27 am
Contact:

Re: Integration into Enigmail for GPG keys

Post by domob »

biolizard89 wrote:How extensible is Enigmail? Could a secondary Thunderbird extension just hook some Enigmail routines and do what we want without modifying Enigmail?
This is what I thought about, too. I mentioned this idea on the mailing list but haven't yet gotten any replies with respect to this point. I doubt it, to be honest. (If it is possible, it would be my favourite way forward, though.) I suggested something like this ("secondary" plugins) also for pidgin-otr, and there the response was that this is not possible. (Pidgin is thinking about supporting OTR natively, though, which would then allow an "ordinary" plugin to provide Namecoin support. This is what I'm waiting for at the OTR front ATM, not sure how long it will take.)

I think I may start with a plain fork of Enigmail including my patches. At least as a proof-of-concept and to try things out this should be easy enough. It will mean, though, that I have to keep up with their development, security fixes, releases and so on, and distribute my own binaries/xpi. It would be great if we could get rid of this.
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/

domob
Posts: 1129
Joined: Mon Jun 24, 2013 11:27 am
Contact:

Re: Integration into Enigmail for GPG keys

Post by domob »

It seems there's some serious misunderstanding going on. Someone suggested to build an LDAP server that can be queried for keys and looks them up in the blockchain, but is doubtful about Namecoin as the GPG WoT requires that others are able to modify one's key on the blockchain in order to sign it.... I tried to clear that up, but not sure whether it actually works. It is really interesting to get opinions of people outside the whole Bitcoin-crypto system. Another one looked up Bitcoin and thinks it is "very messy" (transaction malleability press anyone?) and too immature, even though Namecoin "seems not to be affected" by these things. :) Note, though, that those who replied so far said they were from the help team and not developers. So not sure how technically inclined they are, or where to reach the actual developers. (It is the -users mailing list, but its the only one prominently listed on their website and also no one redirected me to another channel so far.)
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/

Post Reply