Hello and welcome

[Sean Doig]

Somewhat predictably my second foray into this issue appears to be slightly less successful than the first and currently vetting applicants to this group seems a bit like premature optimisation.  So hello, and welcome!

If we are going to make any kind of headway on anything here I think we need to spread the word a bit more, unless you guys think the 5 of us is enough to start cracking heads?

Any suggestions on pretty much anything?

[Nathan Loofbourrow]

My thoughts, based on your blog posts:

1. We need a direction. Your post put a stake in the ground that says "Use PGP for certificates." Let's determine whether that is the right option both technically (currently, only GnuTLS supports it) and practically (is web-of-trust too impractical for most users? Can it be made more practical without serious compromise?)

2. The option chosen needs to be implemented widely. Better to add support for PGP in OpenSSL, say, than expect every software writer to suddenly adopt GnuTLS.

3. Help open source projects adopt the new option. Mozilla would be a big step.

4. Once open source options are available, pressure closed source vendors to feature match.

Thoughts?

[Taylor Gerring]

Not sure that this helps us achieve our goals, but I found it very interesting to learn that PGP keys can be reference and even stored directly in DNS. Reference: http://www.gushi.org/make-dns-cert/HOWTO.html)

Of course, this presents it's own problem with DNS centralization :)

Additionally, the OpenPGP Message Format include a specification for inclusion of arbitrary data as UserAttributes. The only official Subpacket type is 1/Image, however, should this feature prove useful, we could define additional Subpacket types. See https://tools.ietf.org/html/rfc4880#section-5.12 for more information

Taylor

[Sean Doig]

Ladies and gentlemen we are in the presence of greatness as we welcome to the group Taylor Gerring - Chief Infrastructure Architect at Ethereum, VP of Engineering at Hive Wallet, and a bunch of other achievements I won't transcribe from his LinkedIn.  Hello!

[Sean Doig]

Nathan thanks for this.

I think on your first point you're dead right, we need to find out whether this PGP idea could actually work.  Taylor's comments below might open some interesting doors none of us had considered before.

You're also spot on with 2,3,4 however I think that we can't really hope or expect to make waves at all in this regard until we're more than a bunch of guys with a good idea, but what exactly that 'more' is I'm not sure.  My gut says allies.

[Sean Doig]

Perhaps there is scope for a PGP/DNS product that complements the current system as an interim goal?

[Taylor Gerring]

There are a few new technologies that could be considered given a sufficient timeline, including DNS-on-blockchain. Namecoin attempted this with a Bitcoin-style blockchain (.bit TLD), but it has its own drawbacks that need attention and development. Ethereum would [also theoretically in the future] allow a Namecoin-style contract to exist within it's consensus network, allowing the total displacement of centralized services like DNS.

Given the possibilities with distributed consensus, would it be better to scope this project larger as a whole distributed replacement for a fundamentally centralized system... or do we shoehorn a fix scoped specific to X.509?

Given sufficient resources and the hope of launching Ethereum mainnet in Q4 2014, I'd prefer to work in tandem with new blockchain advancements to develop a replacement for the existing system while keeping an eye on how we can minimize transition friction.

Thoughts? :)

Taylor

[Michael Decerbo]

I think DNSChain (http://okturtles.com/ and https://github.com/okTurtles/dnschain ) is the best approach I have seen so far.

Please check it out and see if you agree.

Some discussion on the cryptography mailing list is archived here: http://lists.randombit.net/pipermail/cryptography/2014-February/006237.html

Mike

[Sean Doig]

The discussion here is interesting and has shown that there are many avenues to solving this.  But I've been having a think and I think the problem with a DNS/Namecoin etc approach is that although it may be an interesting road to go down, I'm not sure it's our best hope towards seeing actual change - even if we built and battle tested those solutions, the uphill battle to adoption would (to my mind) remain incredibly steep.  We're talking about ripping out and replacing enormous chunks of both the server and browser stack.

It seems to me that a logical first step would be to:

1. Figure out if GnuTLS can really handle PGP certs properly (I'm sure this feature has hardly ever been used)
2. Modify a browser/create a plugin to handle the PGP certs on the client

This approach encapsulates a good proof of concept.  If the GnuTLS side of things works then we have a good base for building an OpenSSL patch, and if we get that merged (a big hope I know) then almost every server on the planet would be in the position of having the choice to use PGP for certs via nothing more than a config file.  It seems to me that this proves a big point, after which we have a lot of options for where to go next.  It also feels like having a repo full of working code would be a better place to build momentum as people who agree with the idea can just hack away and submit a patch without having to get caught up in the whole discussion aspect.

I know that questions remain over whether PGP could ever really do this at scale in it's current form, after all the global web of trust would have billions of nodes, but from what I understand we'd be a lot better at scaling something like that today than they were back when they said it was unscalable - and that's without even starting a discussion on whether or not we could hack on PGP itself to make improvements.

These are just my thoughts.  What do you think?