From: Alex Strasheim <alex@omaha.com>
Date: Mon, 28 Nov 94 11:01:09 PST
To: norm@netcom.com (Norman Hardy)
Subject: Re: Transparent Email (WAS disable telnet to port 25)
In-Reply-To: <aaffa3550002100432fd@DialupEudora>
Message-ID: <199411281901.NAA00468@omaha.omaha.com>
MIME-Version: 1.0
Content-Type: text


-----BEGIN PGP SIGNED MESSAGE-----

I think that the main problem with this is that it would require email 
addresses to be transmitted electronically.  My email address is 
alex@omaha.com, and one of the nice things about it is that I can tell 
someone what it is, and they'll remember it.  I'd hate to have to append 
a fingerprint to the address when I gave it out.

The big problem with secure mail in the real world is that most people
probably aren't willing to sacrifice much in the way of convenience in
order to get security.  We really need a Eudora-style program which would
look and act like Eudora does now, with encryption and signatures going on
in the background.  A scheme which would make addresses more complicated 
probably won't fly.

The general approach that I was proposing was to create a lowest common
denominator web of trust, but to allow anyone to create, maintain, and use
their own webs, using whatever criteria they deem appropriate.  This is, 
in my understanding at least, the best way to guard against the man in 
the middle problem:  keys would have to be signed by someone we trust in 
order to be accepted.  The idea is to put a lot of flexibility in the 
hands of users, making a very high level of security possible, without 
imposing the responsibilities this involves on people who don't want or 
need it.

In order to do this, we'd need a general system for describing and 
manipulating webs.  Ideally, a web could be defined with a single top 
level public key and a rule set.  They keyserver would return a text file 
which contained a chain of signatures in a text file, and a general 
program, which I'm calling meta-pgp, would be able to extract and verify 
the user's public key using the web's top level public key and the rule 
set.

The point of meta-pgp is to give people enough flexibility in 
administering their webs that they wouldn't feel constrained by the 
system.  It would work by allowing chains of signatures, and allowing 
supplemental information to be affixed to each key in the chain before it 
was signed.

Suppose, to take a simple example, I administer a web.  I decide that I'll
deputize people to sign user keys.  Each signature will be good for a
year. 

First of all, I'd have to sign the deputy's keys.  I'd meet with the 
deputies, and they'd give me their public keys in text format.  I'd 
prepend two fields of header information, a DEPUTY token, and a DATE 
11/28/94 token to the deputy's key, and then sign it with my public key.  
Then I'd return it to the deputy.

The deputy would do something similar for the user when he signed the 
user's public key:  he'd affix USER and DATE tokens, sign the result and 
give it back to the user.  He'd also prepend his own public key, signed 
by my top level public key.  The user would submit this to the keyserver 
database.

That way when someone wants to send mail to the user, they'd query the 
database.  The sender would send the keyserver the email address of the 
recipient, along with a list of acceptable webs, in order of preference.  
If the sender was willing to accept my web, the keyserver would return 
that chain, and the sender's meta-pgp would validate the key, based on 
the top level key for the web and the rule set.

The point of meta-pgp would be to allow people to use whatever kinds of 
webs they want, at the same time preserving the ability of generalized 
programs to verify keys.

The default web could be based on something simple, with comparatively low
security, allowing people to send in their keys via email and requiring
them to respond to an encrypted reply from the web administrator.  This
wouldn't be impossible to spoof, obviously, but it would allow a lot of
people to put their keys into circulation.  Those of us who would be
dissatisfied with such an insecure setup could make other arrangements.

[I'm sorry to describe the same proposal twice, but I wrote the last one 
in the middle of the night, and I was a little bleary...  I'm not sure 
how well I described it.]


> If I have never sent you mail, consider how I got your e-mail address?
> You could have sent your public key to me along with your e-mail address.
> If your public key is too big you could include a phoneticized secure hash of
> your public key and I could check big brother (the CA). I suspect that initial
> bits of a public key serve pretty well as a secure hash. Perhaps all email
> addresses should be accompanied by such a hash. The more initial bits
> the harder to find a fake public key with sutiable mathematical properties
> and initial bits that agree with your real pulic key.
> 
> If an email address and its associated PK are sent thru unauthenticated
> channels a man in the middle can substitute the PK. In the same situation,
> however, the man in the middle can substitute the email address!


==
Alex Strasheim | finger astrashe@nyx.cs.du.edu
alex@omaha.com | for my PGP 2.6.1. public key

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBLtoo3xEpP7+baaPtAQEkSwP/SlwhZ9TGnB0hpGMZ5L/WRjyKe7OTEAlj
yzYRGCPdEarvWkY9NtNDB1tqLJjomARJEZGD8jACSo25z8lgTXguVm98BxkzBErz
TlWhRuSBY/UzfBDLG7PMP5VlR6yosNrToErwbl7ZSAveZuC9+usjCXB8WGhvK+Qg
/zKGskP06iI=
=lEaX
-----END PGP SIGNATURE-----