[Cryptography] Proof of preservation...

Jerry Leichter leichter at lrw.com
Thu Mar 5 06:22:12 EST 2015

On Mar 3, 2015, at 8:51 AM, Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> So folk have probably seen the flap over Clinton's emails. The latest claim being that all the mails were archived.
> http://onpolitics.usatoday.com/2015/03/03/clinton-aide-state-department-e-mails-preserved/
> Leaving aside the politics of the situation... how would folk go about establishing a proof this had been done?
This is an interesting question, but it's well-posed.  Who are the actors involved here?  Who has to prove what to whom?

Some of the components - hashing, digital notaries, timestamping, proofs of retrievability - seem to be there, but it's not at all clear how they might produce the kind of proof you have in mind because they often provide a proof to the wrong party, or produce a proof of the wrong thing.  For example, releasing hashes of all my emails only allows someone to check later, when I've released the emails, that the hashes correspond to those purported emails - not that those were the emails I actually sent, nor that there could not have been further emails.  Notarizing those hashes doesn't change things.  Chaining them just means, if I want to fake things, I have to be consistent about it - no big deal.  Proofs of retrievability come closest, but the prover is whoever holds the mail for me, and it's only useful to prove *to me* that he still holds what I sent him.  In and of itself, it doesn't prove to anyone else that I sent him the right stuff.

Also ... we want the *incoming* mail to be archived as well.  Seeing only one side of a conversation is not particularly useful.  In the situation described, some of the conversations will be with private parties who are under no obligation to archive the messages *they* send.  Even if *everyone's* messages are archived, it's unreasonable to assume a search of every outgoing mailbox in the world in order to find all messages sent to the person offering the proof.  (Of course, I'm sure a certain three-letter agency would be glad to offer such a service - but for their internal use only....)

We've seen over the last couple of decades that all kinds of apparently-impossible system properties an actually be attained using cryptography.  Whether something of like a "proof of preservation" is possible ... I don't know.  If it is, the proof would have to be deeply entangled with the actual operation of the system.  For example, it can't be that there's one "channel" by which I receive an email, and another by which my receipt of it is recorded for later proof - that would be like a signature separate from the document signed. The two have to be linked.  It must be the case that by the time I'm in the position to read a message (e.g., I'm in possession of a cleartext copy), a record that I decrypted it has already been made.  The very nature of the problem requires a third party to hold *something* - so the third party will inevitably be involved.
                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150305/f431a372/attachment.html>

More information about the cryptography mailing list