Mailing List Archive

PhD project ideas
Hi,

I am trying to apply for PhD studies, and usually they ask you
for a project proposal, what will be the topic of your research
(and development). The time of PhD studies is usually 3 years.

I have a couple of ideas myself, but I would also like to ask
your opinion. Are there any project ideas that can benefit
or improve GnuPG?

For example, from some discussions here I get that the fact
that keyservers do not allow you to remove your keys may be
a problem for the right to be forgotten of GDPR.

Personally I think that keyservers should allow the users
to remove their own keys. If this is a bad thing, let the user
software take care of it, do not enforce it on the keyserver.
The keyserver is just a servant and it should obey the orders
of the user, even if they damage the user himself.

The user's software (that runs in the computer of the user,
`gpg` or something else), should warn the user about the bad
consequences of making a wrong decision. But if the user
wants to shoot himself on his foot, let him do it. This is in line
with the Unix/Linux philosophy that the user knows what he
is doing.

So, would an improvement or rewrite of the keyserver software
be a useful project for GnuPG (and a good PhD project proposal)?
What other projects could be beneficial for GnuPG?
If you had money available for sponsoring PhD students,
for what projects would you spend them?

Regards,
Dashamir
Re: PhD project ideas [ In reply to ]
On Sat, 9 Jun 2018 11:07, dashohoxha@gmail.com said:

> The keyserver is just a servant and it should obey the orders
> of the user, even if they damage the user himself.

The keyservers are the white pages for keys. You can't change white
pages once they have been printed and delivered. Well, unless you setup
a Minitrue.


Salam-Shalom,

Werner

--
# Please read: Daniel Ellsberg - The Doomsday Machine #
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: PhD project ideas [ In reply to ]
> On 9 Jun 2018, at 10:07, Dashamir Hoxha <dashohoxha@gmail.com> wrote:
>
> The keyserver is just a servant and it should obey the orders
> of the user, even if they damage the user himself.

The keyservers don’t obey anyone’s orders. They a fairly dumb, but efficient, cache. If you want a system that obeys orders then it might be better to use something like WKD or keybase, where keys are attached to individual user accounts.

The keyservers perform three main services: finding keys, updating keys and revoking keys. There are other ways of finding and updating keys these days, even if none of them are as broadly used. For me though, the killer application for the keyservers is efficient distribution of revocations.

In a GDPR apocalypse scenario the simplest fallback position for the keyservers is probably to blacklist any packets containing user IDs. This would mean keyservers would no longer be usable for finding keys by ID, but their other functions would be maintained.

This has all been discussed in excruciating detail over on the sks-devel list in the last few months, including several suggestions for keyserver improvements. This thread is probably best continued there.

A

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: PhD project ideas [ In reply to ]
On Sat, Jun 9, 2018 at 1:34 PM, Andrew Gallagher <andrewg@andrewg.com>
wrote:

>
> > On 9 Jun 2018, at 10:07, Dashamir Hoxha <dashohoxha@gmail.com> wrote:
> >
> > The keyserver is just a servant and it should obey the orders
> > of the user, even if they damage the user himself.
>
> The keyservers don’t obey anyone’s orders. They a fairly dumb, but
> efficient, cache. If you want a system that obeys orders then it might be
> better to use something like WKD or keybase, where keys are attached to
> individual user accounts.
>

I don't know what is WKD, and Keybase as far as I know is centralized, it
is not distributed.
If it was distributed, it would have been a better alternative than
keyservers, in my opinion.

The keyservers perform three main services: finding keys, updating keys and
> revoking keys. There are other ways of finding and updating keys these
> days, even if none of them are as broadly used. For me though, the killer
> application for the keyservers is efficient distribution of revocations.
>

In a GDPR apocalypse scenario the simplest fallback position for the
> keyservers is probably to blacklist any packets containing user IDs. This
> would mean keyservers would no longer be usable for finding keys by ID, but
> their other functions would be maintained.
>

The problem is that I don't care about the keys, because I communicate with
people, not with keys. The keys are just a means of communication. If user
information is removed from the keys, then keyservers become almost
useless, as far as I am concerned.

I don't think there is going to be any "GDPR apocalypse". This has also
been clarified from previous discussions here.
But I do think that the keys should not be published for ever and ever, up
to the eternity. The owner should be able to remove them for whatever
reason he deems this is right.

This has all been discussed in excruciating detail over on the sks-devel
> list in the last few months, including several suggestions for keyserver
> improvements. This thread is probably best continued there.
>

Of course. But this thread was not only about the keyservers, they were
just an example.

Dashamir
Re: PhD project ideas [ In reply to ]
Hi,

On Saturday, June 9, 2018 2:51:23 PM CEST Dashamir Hoxha wrote:
> I don't know what is WKD, and Keybase as far as I know is centralized, it
> is not distributed.

WKD is the Web Key Directory [1][2] so that you can do with recent versions of
GnuPG a:

"gpg --locate-key aheinecke@intevation.de"

Which then gets the key from intevation.de without a keyserver and without a
walkable directory.

As for other projects maybe some ideas:
- A look at the trustmodels of OpenPGP with maybe ideas how to improve them or
their usage.
- Usability studies of OpenPGP MUA's and comments / improvements about this.
(Why Johnny still still can't encrypt) Here with the focus on concrete
suggestions what to imrpove.
- Private key sync between multiple devices.
- Private key backup that is understandable to users who generally only know
recoverable passwords as secret.

Best Regards,
Andre

1: https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service
2: https://wiki.gnupg.org/WKD

--
Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998
Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Re: PhD project ideas [ In reply to ]
On Mon, 11 Jun 2018 08:20, aheinecke@intevation.de said:

> - Private key sync between multiple devices.

I already started with that. No code yet, though.


Salam-Shalom,

Werner

--
# Please read: Daniel Ellsberg - The Doomsday Machine #
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: PhD project ideas [ In reply to ]
On 09/06/18 13:51, Dashamir Hoxha wrote:
> If user information is removed from the keys, then keyservers become
> almost useless, as far as I am concerned.

They become useless for the purposes of searching by user ID. But the
association of a user ID to a given key is only the first step in the
process. Once that is done, all sorts of other things happen in the
background based on fingerprints, and which the ordinary user will
rarely see because they are automated.

For example, keyservers are vital for propagating revocations. If my key
is stolen, and I revoke it, the best place to publish that revocation is
on the keyservers. They are the most widely supported directory and it
is not only possible but recommended that PGP clients refresh their
keyrings from the keyservers on a schedule. Removing user IDs would not
affect this process.

--
Andrew Gallagher
Re: PhD project ideas [ In reply to ]
> I already started with that. No code yet, though.

Oh, interesting. Can you elaborate on your approach? Is there somewhere I can
read about it?

- V


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: PhD project ideas [ In reply to ]
On Mon, Jun 11, 2018 at 8:20 AM, Andre Heinecke <aheinecke@intevation.de>
wrote:

> Hi,
>
> On Saturday, June 9, 2018 2:51:23 PM CEST Dashamir Hoxha wrote:
> > I don't know what is WKD, and Keybase as far as I know is centralized, it
> > is not distributed.
>
> WKD is the Web Key Directory [1][2] so that you can do with recent
> versions of
> GnuPG a:
>
> "gpg --locate-key aheinecke@intevation.de"
>
> Which then gets the key from intevation.de without a keyserver and
> without a
> walkable directory.
>

This seems interesting. I will look at WKD closer.
Any P2P solution for sharing keys would be better than keyservers, in my
opinion.


>
> As for other projects maybe some ideas:
> - A look at the trustmodels of OpenPGP with maybe ideas how to improve
> them or
> their usage.
> - Usability studies of OpenPGP MUA's and comments / improvements about
> this.
> (Why Johnny still still can't encrypt) Here with the focus on concrete
> suggestions what to imrpove.
> - Private key sync between multiple devices.
> - Private key backup that is understandable to users who generally only
> know
> recoverable passwords as secret.
>

These ideas seem interesting too. I have been thinking myself about how to
make
GnuPG more easy and more accessible to people, so that it becomes a part
of normal everyday life. For example nowadays even very old people and very
young children have learned to use smartphones as a part of their everyday
life.
Who would have thought this a few years ago (myself I have started to use
a smartphone almost a year ago).
Can we make GnuPG part of the everyday life?

A few months ago I applied for PhD to a university with a research project
about this,
but I was not accepted. Maybe I applied to the wrong university. I will
append a copy
of the project idea at the end of this message.

Recently I have learned that people interested on Privacy Enhanced
Technologies
have a special mailing list where they post announcements about conferences,
PhD positions, jobs etc. that are related to this topic. I don't know if
there is any similar
mailing list about the PGP/GPG topics.

Regards,
Dashamir

--------------- project idea about making gnupg more popular
---------------------

I have been interested on digital signatures, as an essential tool for
enabling and supporting the
digital identity and establishing a secure relationship between the people
on the real world and digital
documents. This is crucial for creating trust and security on the digital
world and for building a digital
society.

Without digital signatures we cannot be sure that digital documents are
original and we cannot be sure
about their real author (they can be corrupted and manipulated). Without
these guaranties, digital
documents can never be considered official. So, despite using computers,
digital systems and digital
documents, we always have to rely on the hard copies of the documents and
keep them around for official
purposes, since we can’t fully trust the digital documents. This means that
we will never be able to build
totally digital systems for institutions and organizations, free from
papers and hard-copy documents.

I have also written an article that discusses and summarizes these issues,
makes a comparison between
the two authentication models, X.509 and OpenPGP, and makes a few proposals
for solving existing
issues: The Digital Signature and the X.509/OpenPGP Authentication Models
https://www.researchgate.net/publication/317176950_The_Digital_Signature_and_the_X509OpenPGP_Authentication_Models

The technology and tools for making digital signatures have been available
since a long time. The legal
framework for recognizing digitally signed documents as valid for official
purposes does exist since many
years. However we still don't see a widespread usage of digital signatures
on everyday life. For example
very few people use digital signatures to secure their email
communications. It is even less used while
exchanging digital documents between businesses, organizations, or with
government institutions.

There are clearly some problems that prevent the adaptation of the digital
signature technology on the
everyday life. Some of these problems may be:
- The existing tools for making digital signatures are not enough
user-friendly to be used by common
people.
- The existing infrastructure that supports digital identities and their
verification/validation is not
adequate to support the everyday life use-cases.
- There is a lack of literacy about the digital signature and the available
tools, and people don't really
know why or how to use them.

I have been interested for a long time about these issues and how to solve
them. In the past years I have
even developed a tool, called EasyGPG, which tries to solve the first issue
mentioned above (making tools
easy to use). It is a set of shell scripts that wrap GnuPG and try to make
it more accessible and easy to
use: https://github.com/EasyGnuPG/egpg

If I get the chance to do my doctoral studies on your university, my
objective would be
to study and try to find adequate solutions for these problems.

More specifically, I will study in more details any existing tools that
help to ensure security and trust on the
digital world, including asymmetric cryptography, digital signature tools
and infrastructures, blockchain
technologies, etc.

Then I will try to design a system that applies these tools and
technologies to solve a real world
problem. For example, it can be a digitized notary office, which allows the
notary to legalize a digital
document by signing it with his digital signature. It can also help his
clients to sign a digital contract with
their digital signatures, which then can be stamped and legalized by the
notary through his digital
signature. The notary himself can also help his clients to create their
digital certificates (with which they
can sign their digital documents), and he can check, verify, and sign these
digital certificates. Since the
notary is a public, well known, and trusted person, the digital
certificates verified and signed by him
can also be trusted by other parties (institutions, partners, other
notaries, etc.)

I will also try to build a working prototype or a first version of this
software. And of course I will try to make
it as easy as possible, both for the notaries and for the clients, so that
they find its usage intuitive and
natural. In the long term, this may be the beginning of a start-up company,
because the software will need
to be maintained and improved, the notary offices may need training and
support, the infrastructure may
need maintenance, etc.

It seems to me that this is an innovative project, which helps to transfer
advanced technologies to the real
world domain, where they can be accessible and available to everybody on
their normal everyday life. If it
succeeds, it may have a fundamental impact on the society and build a
bridge to a fully digitized society.

----------- end of project idea ----------------------
Re: PhD project ideas [ In reply to ]
On 06/09/2018 08:51 AM, Dashamir Hoxha wrote:
> I don't know what is WKD, and Keybase as far as I know is centralized,
> it is not distributed.
> If it was distributed, it would have been a better alternative than
> keyservers, in my opinion.
>
wkd = Web Key Discovery. 
https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-06 is the
current draft.  Basically, you run a web server with your key on it.
Re: PhD project ideas [ In reply to ]
>> I don't know what is WKD, and Keybase as far as I know is centralized,
>> it is not distributed.
>> If it was distributed, it would have been a better alternative than
>> keyservers, in my opinion.
>>
> wkd = Web Key Discovery.
> https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-06 is the
> current draft.  Basically, you run a web server with your key on it.

Yes on own domain, and over HTTPS.

Recently WKD is gaining some adoption, e.g. gentoo.org added support for
retrieving its developer's keys [0] over WKD.

Kind regards,
Wiktor

[0]: https://gentoo.org/inside-gentoo/developers/

--
https://metacode.biz/@wiktor