[Cryptography] How to build trust in crypto (was:recommending ChaCha20 instead of RC4)

Tue Mar 18 21:19:08 EDT 2014

On 18/03/2014 17:26 pm, Ralf Senderek wrote:
> On Tue, 18 Mar 2014 14:09:32 Guido Witmond wrote:
> 
>> both end-points [...] have a secure channel but neither party, nor
>> the site, learns anything else about the other.
>> Not even IP-addresses when using Tor.
> 
> Certainly this is no foundation for trusted communication.
> 
>> Indeed, on the internet, nobody knows you're a dog. At least, give me
>> the tools to get back to the same dog I met last time. I believe that to
>> be a requirement in Ralf's challenge.
> 
> Not at all, if I wished to have a secure channel to Bruce Schneier and
> I use key the key from his web site, I'd want that the one who is
> reading my encrypted messages is exactly the one that creates all
> the stuff that I get on the 15th day of the month. And I'd want that only
> this one person can decrypt and that this is done in a secure environment
> which does not expose my messages to others. Short of that I wouldn't call
> this a trusted communication, because the reason I'd start the contact is
> my belief that - given all the context I know about Bruce - this endpoint
> decryptor will actually respond to the content of my message in a way I
> can predict to be what I want it to be. And (please) let me call this
> trust.

you may :) but I will call it risk.  I would say that you look at the
risk concerning all the possibilities in front of you and decide to take
it on.

That's fine, no shame, indeed it is what humans do very well.  They work
very fast with all the info available and go left or right.

Trust however is another thing.  It's like a higher-order integration
over many risk calculations in the past [0], which results in a new
risk:  I take on the risk that I do not have to do any more risk
calculations over a particular context (Bruce is Bruce?  Bob looks after
my children?  I'll get paid on Friday?) and I'll just keep going on as
if he is.

Trust then is optimised risk analysis over time.

So coming back to the PGP context.  PGP's so-called web of trust
provided a framework to help you do a risk calculation, but maybe only a
single input to one.  With repeated reliance over time on risk
calculations over successive events, you might have reached the point of
trust.  Maybe.

But what is rather apropos here is that PGP didn't really give you much
help there.  It gave you a name, which was the thinnest of context, and
even the name wasn't really promised,  "Mickey Mouse [0xabcd01234]"
wasn't considered bad.

The rest you had to do yourself.  And you had to keep doing it.

how do we put (more?) trust into crypto, if PGP is our starting point?
For the next step in evolution, I'd suggest looking closely at CAcert's
Assurance programme.  That programme rewrote the WoT and the CA rulebook.

It didn't (IMO) quite create trust.  It came a bit short of it (I say
this in the sense that it went further than anything else I am aware of
in the space).  But it did lay the foundation for the next evolution.

iang

[0] I'm making this up as I go along;  the real point I am trying to
make is that there is a big difference between risk calculations and
trust.  Think of what one means when one says "I trust my spouse."  Does
one really say "That's Bruce" and put the word 'trust' in there
somewhere?  Or, to really put the point on it, what is meant by "the
trust business" ???