[Cryptography] Making scenarios realistic

Phillip Hallam-Baker phill at hallambaker.com
Mon Apr 15 11:27:42 EDT 2019

On Mon, Apr 15, 2019 at 4:04 AM Ralf Senderek <crypto at senderek.ie> wrote:

> On Sat, 13 Apr 2019, Phillip Hallam-Baker wrote:
> > Perhaps a business model for a Web MetaNotary is selling the key escrow
> service to Alice.
> Now that selling key escrow seems to be the business model you fancy,
> you may put this study
> (https://www.schneier.com/academic/paperfiles/paper-key-escrow.pdf)
> on the new enterprise's web site.

I have made no such decision and I will just point out that most folk who
have claimed they know what my business model is have proved to be wrong in
the past.

The paper is from 1997. Think about that for a while. Back then we thought
that the biggest issue any crypto system had to address was how to
absolutely guarantee any possibility that the FBI could gain any imaginable
advantage in any circumstance whether realistic or not.

Yes, I know that the paper addresses the legitimate uses of local escrow
and if you look at the architecture I have in the Mesh, it follows largely
the approach suggested. But the paper itself was written as a rebuttal to
Louis Freeh when he was approaching peak crazy. A few months after it was
written, Freeh conspired with a corrupt prosecutor to impeach a President
in revenge for being snubbed on the key escrow issue.

It was ideology, not security.

And it hurt us badly because instead of actually solving real problems
people needed solving and delivering products that they could use, we
insisted on addressing really difficult problems like end-to-end secure
email and sneering at partial solutions such as transport security.

STARTTLS is pretty much the only email security in place today. We got it
ten years later than we could have had it and we ended up with end-to-end
email take up of about 2 million S/MIME and 2 million OpenPGP users having
registered a key - about -.1% of users. and they use it for maybe 1% of
their email.

We spent inordinate amounts of time making sure that IPSEC delivered
'perfect' forward secrecy and as a result delivered a specification that
still doesn't actually work out of the box, is a pig to use and can only be
made tolerable with proprietary hacks.

Ideology does not deliver security.

As with the end-to-end arguments paper, this is a paper that is shared far
more often than it is read. The arguments made in the paper are not the
same as the ones that people seem to think. I suggest people read it. They
may well be surprised.

That said, it is a pity that the group didn't include any people with
experience of running a commercial CA. Otherwise they would know that there
is actually a very solid reason for escrowing signature keys and every CA
makes use of it. On the other hand, very few people were doing that in
1997. I wasn't one of them then.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190415/dff45e57/attachment.html>

More information about the cryptography mailing list