1996-02-23 - Re:

Header Data

From: brad@his.com (Brad Knowles)
To: Raph Levien <resolving-security@imc.org
Message Hash: bd416032e857707ab05c3a0f16eb691b5deba9e59867f9617d25407990a9b559
Message ID: <v01540a15ad5338323efb@brad.his.com>
Reply To: N/A
UTC Datetime: 1996-02-23 10:30:02 UTC
Raw Date: Fri, 23 Feb 1996 18:30:02 +0800

Raw message

From: brad@his.com (Brad Knowles)
Date: Fri, 23 Feb 1996 18:30:02 +0800
To: Raph Levien <resolving-security@imc.org
Subject: Re:
Message-ID: <v01540a15ad5338323efb@brad.his.com>
MIME-Version: 1.0
Content-Type: text/plain


At 4:55 PM 2/22/96, Raph Levien wrote:

>    One of the goals of the IMC is to involve users, not just
> developers. I was ready to "officially" represent the "cypherpunk user
> community," but fortunately, I didn't need to. In fact, the strongest
> advocacy of strong crypto came from an employee of a "large service
> provider in America."

    I consider myself a neophyte CypherPunk, in that I just
joined the DC CypherPunk mailing list.  If you check a
particular issue of _Communications of the ACM_ in the "ACM
Forum" section, you'll see that I've been kicking around this
kind of stuff for a little while.  For anyone who is interested,
I'll post or privately email the information on which issue it
was, as soon as I can remember which issue it was.

>    There were five contenders on the field going into the day, and two
> and a half at the end. MOSS was one of the casualties. A lot of us
> were sorry to see it go, but eliminating candidates has got to happen
> if we're going to have interoperation.

    I would have to say that MOSS does have the advantage of
being very well MIME-integrated, and therefore can serve as a
good framework on how to use something that is not necessarily
PEM-based.  I'm seriously hoping that whatever we finally come
up with, it won't look too very different from RFC 1848, except
where specific algorithms are discussed or perhaps additional
features.

>    There was a lot of energy around S/MIME. People are implementing
> it. Internally, it's pretty kludgely, but it does provide pretty good
> cryptographic services. (as an aside, my favorite kludge anecdote is
> the fact that X.509 certificates use an IA5 character set rather than
> ASCII, so that the @ in email addresses has to be represented as (a)
> instead).

    Oh, yeah.  We (the community interested in secure Internet
email) need to decide if we're willing to have an internal and
an external representation differ in this manner, since we
obviously can't show IA5 strings to the user or expect them to
type in IA5 strings.  My personal opinion is that the IA5
strings need to be dumped in favour of a proper Internet email
address format (which I'm sure is specified by one of the
bazillion email-related RFCs, I just don't know which one to
reference).

>    The biggest problem with S/MIME is that the signed and encrypted
> format reveals who made the signatures. Obviously, this has severe
> consequences for anonymous mail. Believe it or not, a lot of people
> care.

    IMO, this has to be fixed as well.  The good thing is that
the folks who have an investment in S/MIME seem to be willing to
make changes to the specification to suit the desires of the
larger secure Internet email connunity at large.  I hope that
companies like VeriSign (that help other comapnies to implement
this kind of technology) also agree to follow suit.

>    One strength of PGP has traditionally been its unity. PGP means one
> message format (the PGP one), one suite of crypto algorithms (the PGP
> one), one key format (the PGP one), one application (PGP itself). Most
> of the other proposals are modular in some way, especially with
> respect to algorithms. PGP is moving in that direction.

    IMO, unity in this case is both a benefit and a deficit.
Because it has not historically been separable, it's either all
or none of PGP, and that's not an implementory style that's
likely to win friends or marketshare.  To that degree, I think
PGP has probably been less successful than it could have been.
To the degree that this is changing is one indicator of its
potential to continue to be a player.

>    Earlier, I mentioned that two and a half protocols survived the
> day. The remaining one is MSP. It's actually not a bad protocol. It
> has two features that none of the others have: the ability to label
> classified messages, and a cryptographically strong signed receipt.
> Both of these functions are highly important for government users. It
> looks like government suppliers are going to go ahead and implement
> it, and the government is going to use it.

    Although these benefits are present in the current MSP, I
don't see anything inherent in MSP that makes it necessarily
superior in these areas.  If you were doing normal MIME-type
receipts (whatever that means, since I think there are three
different drafts under way currently), and you simply added the
ability to cryptographically sign a timestamp in the "proper"
MIME receipt type, then MSP would lose this advantage.

    I think labeling could potentially be done by follow-on
versions of other packages as well, since I think we all agree
that generic labeling which can be used both for standard
gov't-style classification levels and compartments, as well as
for business-style sensitivity labeling.  In fact, I'd almost be
inclined to say that it would likely be as easy (or easier) to
create a new general-purpose labeling system for use with any of
the competitors than it would be to modify MSP to support
business-style labels in addition to the gov't-style labels I'm
sure it has today (maybe it already has labels, but I don't
think that this is that tough of a problem to solve in any
event).

>    My feeling is that the main differences are cultural. MSP still has
> a very ASN.1, OSI, governmental flavor. Its proponents are making the
> effort to be responsive to users, but I think there's still a bit of
> skepticism about that, perhaps misguided, perhaps not.

    Yes, ASN.1.  Ugh.  Dave, have you been able to dig up that
penultimate discourse upon ANS.1 from your brother?


    On the whole, I haven't read anything of MSP yet, so perhaps
I'm totally off-base.  Maybe I'm misguided on this, but when it
comes to "new" protocols or standards that just suddenly drop
onto my radar screen, I sometimes wonder why I haven't heard of
them before and what someone is trying to hide.

>    My advice to US developers: don't even try to export a 40-bit
> version of your product. Just leave crypto out of the export version.
> Your product will have better performance and many fewer configuration
> problems. Include 40-bit in the US product if you have to, but don't
> allow it to be used silently. For example, put up a little dialog that
> says, "are you _sure_ you want to use 40-bit encryption? It's not
> secure, you know."

    This is where I say that what we need to do is neither cave
in to the limitation imposed by the gov't nor do we accept that
we have to rip out encryption from our products to be shipped
overseas or used in the U.S. on the behalf of overseas
customers.  We need to (on a daily basis) wipe the gov't nose in
this mess that they've created, until such time as they learn
that it stinks and that they shouldn't do that indoors anymore.

    ITAR be damned.


>    If care about offering crypto in the non-US market, form a
> partnership with overseas developers to add the crypto.
>
>    Non-US developers, now is a fabulous opportunity. Get those
> implementations underway, the sooner the better.

    And own the crown jewels to every single company in the U.S.
all that much faster.  It's not like the NSA is help to protect
them from espionage that originates from competitors or from
what used to be the political espionage organizations that are
now fighting to keep their jobs.  It's not like companies will
have a single moments interest in having to deal with two
different standards for their U.S. customers and overseas
customers, or worse, their U.S. subsidiaries and their overseas
subsidiaries.


    Everybody should buy their encryption technology from a
country where this kind of thing isn't under export control, and
then ship (or operate) from that country.  When all the
companies have moved overseas somewhere (or at least moved the
official bits that they have to move in order to make this
happen), maybe the U.S. gov't will wake up.  But of course, by
then it will be too late.  And the NSA (and other governmental
entities) will have succeeded in doing "Very Grave Harm to
National Security Interests" because there won't be much of a
Nation left behind when all the companies (and therefore
workers) are overseas.



    Sorry, this has been a *major* sore point with me for years.

>    Most serious email vendors plan to "implement everything that's
> real." That means S/MIME for sure, PGP/MIME assuming they can get
> their hands on a decent implementation, and MSP if they sell a lot of
> stuff to the government.

    I'm hoping that we'll be able to significantly reduce the
playing field of "what's real".

>                                              Over the next few months,
> we will see some very high profile, mass market implementations.

    You may see them from others, but I don't think you're
likely to see them from us anytime soon.  See my comments above
about ITAR.  We're a world-wide company (and trying to become
even moreso) with world-wide customers.  Hell, we could even get
completely cut off from certain countries because they deem that
we're providing access to "illegal" or "unapproved" encryption
technologies.

>    At the end of the meeting, Dave asked the room for consensus on
> several points. First, there was strong consensus that the encryption
> protocols converge on multipart/security for their signed message
> format.

    You mean "multipart/signed", right?

    There was also strong support for changing the
"octet-stream" definition of "multipart/encrypted" to something
more meaningful (hopefully simply state that it's one of the
standard MIME types, and can presumably be safely converted to
and from things like base64 or quoted-printable, or that its
canonical form is one of the seven-bit safe formats).  With that
change, there was strong support that I heard voiced for
supporting "multipart/encrypted" as well.

>    I'd say that's quite a remarkable achievement for a such a
> difficult area.

    Agreed.  I think Dave Crocker deserves a lot of credit for
how well he managed to shepard us "cats" and that he didn't let
things get far enough off-track that we turned into "hostile
cats".

        -Brad







Thread