Defeating Sauron with the “Trust on first use” principle
Gandalf and Frodo did the right thing when they went for destroying the power of the all-seeing eye. The idea of a central power that knows everything undermines our ability to self-govern and influence important changes in society, it undermines a foundation of democracy.
As against Sauron, it seems like an impossible fight to try to protect our communication against present-day espionage cartels. I see glimmers of hope, though. Certainly not much in the political space. Somehow our politicians are themselves too interested to use the eye on select targets — even if only the ones which Sauron allows them to see.
My bigger hope lies with technologists who are working on designing better communication systems. We still have time during which we can reduce Sauron’s sight. But to begin with, how do we prevent passive spying attacks against our communications?
A good part of the answer lies in the Trust on first use principle. The mobile Threema application is a good example: when two people first connect with each other, they exchange communication keys and afterwards use it to perform end-to-end encrypted communications. The key exchange can happen in full sight of the eye, yet the subsequent communication will be illegible. No question, the eye can notice that the two are communicating with unknown content but if too many of them do that this fact becomes less significant.
Of course, the all-seeying eye can send a Nazgul to stand in the middle of the communication to deceive both ends and listen in. But it needs to do so from the beginning and continously if it wants to avoid the victims from noticing. And those two can at any time meet to verify their encryption keys and would realize there was a Nazgul-in-the-middle attack.
By contrast, both SSL and GPG operate with a trust model where we can hear Sauron’s distant laughter. The one is tied to a thousand or so “root authorities”, which can be easily reined in as need be. The other mandates and propagates such a high level of initial mistrust between us that we find it simply too inconvenient to use.
Societies and our social interactions are fundamentally build on trust. Let’s design systems which build on initial trust and which help to identify after-the-fact when it was compromised. If the eye has bad dreams, then i am sure massively deployed trust-on-first-use communication systems are among them.
metaprogramming and politics 
GPG does not require you to use any trust model. It has support for some trust model in an acyclic graph fashion, you just sign keys that you acquired and verified yourself and give them a trust level. But it does not come with any trusted keys installed, so it is no threat at all.
Comparing it with SSL’s hierarchic trust model with arbitrary root keys in some browser or system implementations is not fair,especially as it does not depend on any trust model.
Jens-Uwe Mager
October 29, 2013 at 12:22 am
Technically you are right i think. But the typical trust model advertises with GPG, including crypto parties and identifying with passports etc., does not do “trust-on-first use” at all, does it?
That said, i’d like to explore how to configure and use gpg (especially for mail) in a trust-on-first-use way. I also hope and would like to talk to Mailpile people to adapt such a strategy.
holger krekel
October 29, 2013 at 6:55 am
hi holger,
i like the advocacy of “trust on first use” :), but imho your case regarding gpg is indeed wrong. in fact, its trust model is very similar to that of threema in that regard, albeit the latter makes key verification more convenient (well, at least more enjoyable :)). with gpg, you also initially download the recipient’s key from a keyserver (like in threema’s case from their servers) and trust it initially. unless you actually verify it by comparing fingerprints etc you cannot be sure there’s no man-in-the-middle, but you can surely start using that key without any of that. scanning a QR-code is less tedious than key-signing parties, of course, but that could be implemented for gpg as well[*]. in any case, the models are pretty much the same (except that gpg additionally offers the “net of trust”, where explicit key verification can be safely skipped sometimes), and i’d argue that gpg very much operates on “trust-on-first-use”…
nevertheless i’ve downloaded threema and will happily start using it as an alternative to whatsapp and viber! see you there! 🙂
cheers,
andi
[*] perhaps that would even make a nice app: exchange keys when meeting using your mobiles like threema, except that the app would search all past (gpg-encrypted or -signed) mails from the offered address and compare the fingerprint with those extracted from such mails.
Andreas Zeidler
October 30, 2013 at 8:40 am
has anybody built a browser plug-in that does this? is it feasible?
I gather this is called “key continuity” elsewhere.
Would that SSL had started this way in the first place…
Dan Connolly (@dckc)
December 21, 2014 at 3:45 am
[…] Combining trust on first use both for encryption keys *and* source code will help you defeat Sauron! […]
pguth/peermesh | GITROOM
November 14, 2015 at 1:43 pm
Dieses Gitroom irrt sich. Das Repository zu dem Zitat findet sich hier: https://github.com/pguth/peermesh
Per
December 30, 2015 at 3:23 pm