1995-10-06 - Re: subjective names and MITM

Header Data

From: jbaber@mi.leeds.ac.uk
To: cypherpunks@toad.com
Message Hash: 99aa9c7fedfd05a01ed205b672a7dfe094caf3c0003fdd675a0ac28d1c9879af
Message ID: <2264.9510061657@misun2.mi.leeds.ac.uk>
Reply To: N/A
UTC Datetime: 1995-10-06 16:05:53 UTC
Raw Date: Fri, 6 Oct 95 09:05:53 PDT

Raw message

From: jbaber@mi.leeds.ac.uk
Date: Fri, 6 Oct 95 09:05:53 PDT
To: cypherpunks@toad.com
Subject: Re: subjective names and MITM
Message-ID: <2264.9510061657@misun2.mi.leeds.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain


This discussion can be divided into two separate situations. The first of
which is exemplified perfectly by Hal:

hfinney@shell.portal.com writes:
>m5@dev.tivoli.com (Mike McNally) writes:

> >hfinney@shell.portal.com writes:
> > > This situation with the MITM is actually about the same as if you were
> > > communicating insecurely in the first place.  You are exposed to all of
> > > the same risks.

> >The only way to achieve the level of security offered by physical face
> >to face communication with a person is to have a physical face to face
> >conversation at some point.  If you only ever communicate via
> >electronic means, you are always subject to the risk of dealing with a
> >synthetic entity.  (I think.)

>I don't think so, or at least the risk can be minimized much more than in
>the model where we just say that we're communicating with keys, therefore
>a MITM is perfectly legitimate because it's just a matter of who holds
>the keys.  Suppose I want to talk to PC Magazine columnist John Dvorak.
>Suppose I find a VeriSign certificate for his key, with his name and
>employment information.  I've never met him.  We've never had a face to
>face conversation.  Yet I claim I can communicate with considerable
>security with Dvorak using this certificate, certainly more than if I
>just use any old key which is lying around with his name on it, one which
>may be owned by a MITM.

Here the wish is to communicate with a 'real' person. A person that actually
exists and has an in-built reputation that is separate from his key. This is
very much a real life situation and is very similar to the first time that you
meet someone - it is very hard to know that someone is who they say that they
are, few people ask for ID and even ID is possible to fake (an old key that is
actually owned by a MITM). In this case the person is known (of) and not the
key - therefore it makes sense to attempt to ensure that the link between the
key and the person is a strong (trustworthy) as possible.

However this is not the case in the second situation:

I could say that know that I enjoy reading mail from some people on the list,
that I agree with some people on the list or that some people on the list hold
very strong opinions on certain subjects. However this would not be correct as
I have not met anyone else on the list in person (we do not all live in the US).
It would be more correct to say that I enjoy reading mail from some addresses
on the list (etc.) - I have no real idea whether hfinney@shell.portal.com is Hal
or actually Tim expressing different views. If I mail Hal therefore I am
actually mailing the entity that sends mail to the list from that address and
I would do so being pretty sure that I was communicating with the person who
mails here - but I would have no idea whether he is actually male, female, blond,
brunette etc apart from what I chose to believe from others. 

Now mail is far easier to fake/intercept than a digital signature/encryption - at
least I hope so. Therefore if Hal where to sign all of his messages I could check
the signatures with a public key obtained from anywhere at all and if they passed
then I could be confident that the messages were all written by the entity with
control of the secret part of the key - at least far more confident than I am at
all of the mail from hfinney@shell.portal.com actually comes from there. So instead
of me getting the idea that hfinney@shell.portal.com posts interesting messages
I get the idea that the holder of the secret key posts interesting messages - I
would probably still use the mail address as keys are less convenient with current
mail readers but that is an implementation problem. Hals reputation is therefore
transfered to they key - no matter where I got the key from. So if I send encrypted
mail to the person with the private part of Hal's key I can be sure that it can
only be read by the person who actually sent the messages pertaining to be from Hal.

So the MITM problem is 'defined away' in the case where a reputation grows with a
key but is still a major problem where you want to transfer a ready made reputation
to a key (as in the first example). In effect the key becomes a pseudonym and you
can be sure of communicating with the pseudonym safely but can not be sure of
anything about the pseudonum that you have not experienced yourself without trusting
someone else (VeriSign in the first example). Thus the problem is more reputation
transfer than anything else.

Jon C. Baber
jbaber@mi.leeds.ac.uk
http://www.chem.surrey.ac.uk:80/~ch02jb/





Thread