OddThinking

Secure Email is Hard

Ever since Phil Zimmerman wrote an application called PGP way back in the pre-bubble times, it has been the most obvious, and sometimes only, choice for encrypting email conversations.

Since then it has matured, been sold off, commercialised, re-implemented by the GNU project as the GNU Privacy Guard, and is still in wide use. However, the main barrier to its success have always been the limitations imposed by the nature of secure communications. In order for me to encrypt mail to you I need to know that you are who you say you are. This is where the complexity comes in.

The GNU Privacy Handbook is an attempt to distil down the most basic theory and practice of the tool without sacrificing security. It is absolutely essential reading for users of the GNU Privacy Guard, and a pretty good introduction to the world of secure email communication.

One thing that the GNU Privacy Handbook does not discuss is the limitations of the tool in maintaining independent identities. This is what I want to address here.

GnuPG Identity Management

When you create a keypair (used for encrypting and signing things in GnuPG), you associate to it one or more “user IDs”. These are basically email addresses with an optionally associated real name and comment. As they put it:

Only one user ID is created when a key is created, but it is possible to create additional user IDs if you want to use the key in two or more contexts, e.g., as an employee at work and a political activist on the side. A user ID should be created carefully since it cannot be edited after it is created.

User IDs can be signed to indicate that other people attest to your identity.

Normally, a user ID collects signatures that attest that the user ID describes the person who actually owns the associated key. In theory, a user ID describes a person forever, since that person will never change. In practice, though, elements of the user ID such as the email address and comment may change over time, thus invalidating the user ID.

The implications here may not be obvious. They certainly weren’t to me, anyway, so I’ll spell it out.

User IDs are irrecoverably bound to each other.

In the example given, namely of an employee and political activist, it is quite likely that the GnuPG solution of having two user IDs for the same keypair is actually not what the person (let’s call him Bob) wants. It is more likely that they want two separate keypairs to correspond to the two separate digital identities. Bob probably doesn’t want anyone to know that bob@halliburton.com is the same person as bob@socialist-alliance.org.

This highlights the difference between privacy and anonymity. Privacy applies to the communication between two parties, and anonymity applies to the identity of a single party.

(Anonymity is a somewhat undesirable term here because it implies, through colloquial usage, a disposable identity which is not capable of strong authentication. Perhaps a better general term is independent digital identity.)

GnuPG gives you privacy of communication, but it does not (automatically) give you independent digital identities. The distinction is sometimes subtle and easy to forget. It was brought home forcefully to me recently, courtesy of GnuPG.

A Cautionary Tale

I maintain an online identity which until recently was more-or-less separate from my real life identity. It had an email address which I used to keep separate from my other email addresses. It was not associated with my surname so that I could not be identified that way either.

All that changed when I added my online identity to my GnuPG keypair. At the time I didn’t fully appreciate what I was doing (perhaps lulled into a false sense of security by the wording of the GNU Privacy Handbook quoted above). All of a sudden my online identity was irrevocably bound to my real life identity. I only realised this after uploading the public key to the public keyserver network.

I couldn’t undo it either. I could remove the problematic user ID from my public key, but according to the privacy handbook this doesn’t do any good:

By default, when a user imports your updated public key it will be merged with the old copy of your public key on his ring if it exists. The components from both keys are combined in the merge, and this effectively restores any components you deleted. To properly update the key, the user must first delete the old version of your key and then import the new version. This puts an extra burden on the people with whom you communicate. Furthermore, if you send your key to a keyserver, the merge will happen regardless, and anybody who downloads your key from a keyserver will never see your key with components deleted.

The public key which now contained all of my email addresses was now the means by which my previously independent online-only identity could be connected to my real life identity. Which meant that through the PGP keyservers you could go from my online identity to my real name, to my current and previous employers.

This is why I agreed with Julian to publish this anonymously. I can’t publish it using my online identity for obvious reasons. However I don’t believe it is a well-understood limitation of GnuPG (and other PGP-alikes) that one and only one identity is supported. So I am writing this to explain the situation and hopefully prevent others from “leaking” anonymity in the way that I did.

Maintaining separate digital identities is hard. There are lots of ways in which you can accidentally leak one identity into another. Hopefully after reading this you will be on guard against at least one of these.