[linux-elitists] Phil Zimmermann on key exchange

Seth David Schoen schoen@loyalty.org
Fri Dec 7 23:42:26 PST 2001


Reviving a thread from last month:

Seth David Schoen writes:

> M. Drew Streib writes:
> 
> > Or you could sign the messages themselves. ;)
> > 
> > I'm actually thinking about implementing Phil's email verification scheme,
> > btw, although I'm still debating its usefulness. We'll see...
> 
> Brad Templeton, who's the Chairman of the Board of EFF, had a thought
> about one way to make e-mail cryptography easier -- by eliminating key
> infrastructure:
> 
> http://www.templetons.com/brad/crypt.html
> 
> I was researching Brad's idea for EFF.  Although you would think EFF
> would be full of heavy PGP users, it's really not; many of our staff
> members complain that key exchange is difficult and tedious, and the
> plugins for their various mail clients are hard to use.  There is the
> sense that, if EFF doesn't use PGP regularly, the rest of the world
> isn't very likely to, either.
> 
> So Phil's robot CA idea actually sounds more practical to me than
> Brad's idea; in particular, it has better compatibility with regular
> PGP encryption -- and it seems that it may be more robust in some
> ways.  The robot CA is intuitive and fairly secure if you don't expect
> active MITM attacks.

The Board of Directors of EFF met today in San Francisco, and I made a
presentation about this, in the presence of Brad Templeton and others.
One of the conclusions was that EFF's role in implementing something
like this is still not defined clearly enough, and we don't know what
we could most usefully do.

For example, some people like the idea of standardizing protocols
through the IETF; others prefer a completely independent development
of a spec (possibly with advance commitments or at least expressions
of interest from vendors), and then submission to standards bodies
after the technical work is more of a fait accompli.  There is some
disagreement about who exactly should write which code, for what
platform, and what effect it would have for different people (e.g.
famous cryptographers, civil liberties organizations, well-known
scientists or network engineers) to endorse various approaches in
various places.

We want to figure out more about what EFF can best do to make this
happen.  Brad Templeton is planning to write to Phil Zimmermann, and I
plan to write to Phil Karn and some other people.

On the technical side, Brad still prefers his approach to the robot CA.
I argued that the robot CA might be better because it's harder to
launch MITM attacks (you only have _one_ opportunity, at the initial
key verification step, and not each time a new pair of people begin
communicating with one another).  There's also less overhead, because
an interactive verification step happens once per person rather than
once per pair of communicating parties (and keys are only ever sent to
people who can really use them).

Brad was concerned that the robot CA is a single point of failure and
an easy target for attacks (DOS, subpoena, physical intrusions); it
_does_ hold some secret and trusted information (its own private
signing key) and also has a uniquely valuable key which can be
compromised -- an event which would tend to undermine the entire
scheme.  He added that both schemes are equally secure against passive
wiretapping, and the scheme he outlined can survive even if the
organizations which originally supported it go away.

Brad's revision of the PGP threat model is fairly radical; he says
that it's reasonable to accept that e-mail messages will be
compromised if an attacker performs an active MITM attack at the right
time, or if your computer is physically compromised or seized, or
even, in some configurations, possibly if your ISP's mail server is
physically compromised or seized (which was the hardest for me to
accept).

I want to bifurcate the issue and ask everyone here:

(1) What's the best design for an "informal key exchange" scheme in
which active MITM attacks may be permitted, but privacy against
passive wiretapping (as well as trivial impersonation attacks) is
maintained?  How can this be implemented with the smaller amount of
user interface, while maintaining the largest amount of compatibility
in both directions with existing e-mail privacy systems for
sophisticated users?

(2) What's the best way to get such a system designed and deployed to
the general public?  How can an organization like EFF best help
accomplish this?  Whose help do we need?

-- 
Seth David Schoen <schoen@loyalty.org> | Its really terrible when FBI arrested
Temp.  http://www.loyalty.org/~schoen/ | hacker, who visited USA with peacefull
down:  http://www.loyalty.org/   (CAF) | mission -- to share his knowledge with
     http://www.freesklyarov.org/      | american nation.  (Ilya V. Vasilyev)



More information about the linux-elitists mailing list