From: Henri La Bouche <hedgehog@anon.efga.org>
Date: Fri, 20 Feb 1998 04:11:21 +0800
To: cypherpunks@Algebra.COM
Subject: The danger of certificates
Message-ID: <199802192003.PAA11771@server1.efga.org>
MIME-Version: 1.0
Content-Type: text/plain




IMHO there is a serious situation creeping up that I have not seen much attention on. That is the use of certificates to encrypt e-mail. I think these are two entirely separate subjects and unless the distinction is made and people are made to see it strong encryption will be next to useless.

If I may draw an analogy (albeit flawed <g>). Using a certificate to sign or encrypt a message is akin to notarizing a document. Using strong encryption is akin to putting snail mail in an envelope before sending. To have to notarize every piece of mail you send, or to be required to go to the post office and show ID in order to send mail would be a gross invasion of privacy and completely unacceptable. Yet this is what is done when using certificates to encrypt e-mail.

Currently this use of certificates is not widespread, but if any lesson is to be learned from the "browser wars" is that if you give it away people will use it regardless of quality. And in America especially, if something requires brains or intelligence to use you know right off that the general public will not accept it. As e-mail becomes more and more the standard it will be easy to whip the populace into a frenzy regarding "privacy" and spam then provide the simple and easy method of using certificates as a standard.

Let's put on the black hat for a moment and create a plan. We want to snooker the public into believing it has security through strong encryption and yet we have the ability to track connections and communications. Further we would like to get a net gain of intel, not just replace the current system with something new.

The primary goals would be
1. Knock out any competing encryption system.
2. Provide a system that is apparently strong but is not.

The best way to defeat number one is to give away number two (pun intended).

The specs for such a system would be:
1. A backdoor or key escrow or other method to easily decrypt the information sent.
2. A means to trace all messages back to the actual originator.
3. A means to know who is the true recipient.
4. User friendly (no-brainer).
5. It must provide benefits above and beyond encryption and digital signatures.
6. Acceptable to the general public.

The simplest method of creating key escrow is to have a single source for issuing keys. If people are unable to create their own keys then there will be no problem with having to break unknown keys. To make this acceptable to the populace there has to be an apparent benefit. If the keys are issued by a "trusted" authority who supposedly takes great pains to verify identity before issuing a key, then the people don't have to think or be bother to look for deceit. The authority will be there to ensure it never happens.

This system also provides traceability of originator and recipient.

To make it user friendly, make it password free, fully integrated into the e-mail client and fully transparent to the user.

Additional benefits could be the noted above "trusted" authority factor as well as whipping up a frenzy about "hackers" reading your mail and doing horrible things, which will be prevented if your just use our encryption. Also "faster" protocols can be invented that whisk certificate encrypted mail through the internet faster and more reliably. Use of certificates can eliminate spam, simply filter out all mail that is not encrypted with one of our certificates, after all, if someone doesn't use our certificate then they must have something to hide.

Making it acceptable would require that it appear to be not controlled by the government and then run a PR campaign selling it. First off have a few large corporations back it, have the certificates issued by an apparently private corporation and finally have athlete and movie star endorsements, i.e. "Got Encryption".

The political deviants who refuse to use this system will be easy to isolate and target.

Henri
<hedgehog@anon.efga.org>