[linux-elitists] Phil Zimmermann on key exchange

Seth David Schoen schoen@loyalty.org
Tue Nov 13 22:03:50 PST 2001

M. Drew Streib writes:

> Or you could sign the messages themselves. ;)
> I'm actually thinking about implementing Phil's email verification scheme,
> btw, although I'm still debating its usefulness. We'll see...

Brad Templeton, who's the Chairman of the Board of EFF, had a thought
about one way to make e-mail cryptography easier -- by eliminating key


I was researching Brad's idea for EFF.  Although you would think EFF
would be full of heavy PGP users, it's really not; many of our staff
members complain that key exchange is difficult and tedious, and the
plugins for their various mail clients are hard to use.  There is the
sense that, if EFF doesn't use PGP regularly, the rest of the world
isn't very likely to, either.

So Phil's robot CA idea actually sounds more practical to me than
Brad's idea; in particular, it has better compatibility with regular
PGP encryption -- and it seems that it may be more robust in some
ways.  The robot CA is intuitive and fairly secure if you don't expect
active MITM attacks.

Although I've written various pessimistic essays about the importance
of PKI or fingerprint verification, I do usually type "yes" when ssh
says stuff like

The authenticity of host 'soda.berkeley.edu (' can't be
DSA key fingerprint is b2:2b:32:26:6e:19:d3:f0:f2:51:70:25:30:c1:54:22.
Are you sure you want to continue connecting (yes/no)?

and ssh _still provides useful and beneficial security to me_ even
though I am clearly vulnerable to MITM attacks using tools like
sshmitm from dsniff (which, by the way, is included on the LNX-BBC).
On a wired network, an attacker actually runs a fairly high risk of
detection if he or she attempts to do active attacks over a long
period of time -- there's so much that can go wrong or look funny, and
potentially be traced to a particular physical location.  (On wireless
networks, you can perform the same attacks and be completely anonymous
and virtually impossible to track down.)

David Wagner took a quick look at Brad's e-mail encryption idea and
suggested that -- like using ssh and always typing "yes" -- it was
vulnerable to MITM attacks but could be useful and helpful to most
people most of the time.  (Especially if their alternative is akin to
using telnet.)

With that philosophy in mind, it seems that the robot CA could be a
helpful thing.  E-mail clients could also support the robot CA
automatically, in two parts:

(1) When you generate a key, you automatically submit it to the robot
CA.  When the robot CA's confirmation message arrives (with some sort
of challenge), you automatically respond to confirm that you are the
real owner of the key you submitted.

(2) When you want to send a message to a user, you first check whether
you have the user's public key on a local keyring.  (Most users would
never manually add any keys to their keyrings.)  If not, you would
send a query for the user's e-mail address to Phil's hypothetical
"keyserver which only accepts keys which are signed by the robot CA";
if you get a key for that user, you add it to the local keyring and
use it (automatically) to encrypt the mail.  If you don't get a key
for that user, you just send the mail in the clear.

Sounds pretty good to me, relative to not using PGP at all.  It is an
"opportunistic" scheme which protects only against passive attacks.
But almost all attacks on the privacy of e-mail are passive attacks.
If attackers are forced to start using active attacks, users and
administrators might start to notice mysterious signs that something
is not quite right -- funny log messages, unexplained errors -- which
could serve as the functional equivalent of mysterious clicks on your
phone line, suggesting that it's being tapped.

Seth David Schoen <schoen@loyalty.org> | Its really terrible when FBI arrested
Temp.  http://www.loyalty.org/~schoen/ | hacker, who visited USA with peacefull
down:  http://www.loyalty.org/   (CAF) | mission -- to share his knowledge with
     http://www.freesklyarov.org/      | american nation.  (Ilya V. Vasilyev)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20011113/9e826975/attachment.pgp 

More information about the linux-elitists mailing list