From: “Timothy C. May” <tcmay@got.net>
To: cypherpunks@toad.com
Message Hash: fd23d08be03abf7e1deff0176f978e714a3640a0fd11157b61d8c9177f37cbc5
Message ID: <v03007802ae8210caf4d7@[207.167.93.63]>
Reply To: <v03007802ae819385a300@[207.167.93.63]>
UTC Datetime: 1996-10-10 02:08:04 UTC
Raw Date: Wed, 9 Oct 1996 19:08:04 -0700 (PDT)
From: "Timothy C. May" <tcmay@got.net>
Date: Wed, 9 Oct 1996 19:08:04 -0700 (PDT)
To: cypherpunks@toad.com
Subject: Re: "Forward Privacy" for ISPs and Customers
In-Reply-To: <v03007802ae819385a300@[207.167.93.63]>
Message-ID: <v03007802ae8210caf4d7@[207.167.93.63]>
MIME-Version: 1.0
Content-Type: text/plain
At 5:26 PM -0500 10/9/96, Kevin L Prigge wrote:
>Timothy C. May said:
>> Something ISPs could do--and may do if there is sufficient customer
>> pressure--is to adopt a policy of "forward secrecy" (to slightly abuse this
>> technical term). That is, to have an explicit policy--implemented in the
>> software--of _really_ deleting the back messages once a customer downloads
>> them to his site. This means that _backups_ must be done in a careful
>> manner, such that even the backup tapes or disks are affected by a removal.
>
>Interesting thought, but it fails when it gets to my scale. It would
>be trivial to exclude a file or set of files from normal backup, but
>it would be problematic to exclude files from filesystem dumps, etc.
>The scale I deal with (40,000 users, 12gb of /home directory files and
>about the same in the mail spool) would make it almost impossible to
>provide this service with accuracy to my users.
Were I implementing this on my present system, with three hard disks (.5,
1.0, and 2.9 GB), I would just move the mail spool for the "no backups"
customers to one of the disks and then just not back it up. I realize this
could be a headache for ISPs, but the principle seems easy enough to
realize: move the mail files to a place that is not backed up.
(By the way, the backup utility I have is very easy to configure to back up
some files, not others, on all kinds of varying schedules. I would've
thought "tar" and other such vaunted Unix tools are at least as
configurable.)
Again, I think the most straightforward approach is to offer two kinds of
service: backups and no backups. And the "no backup" customers know that no
backups are kept. (BTW, it's also possible the ISP could offer a "crash
recovery" buffer of, say, a few days or a few weeks, to cover crashes of
its own system. The crash recovery disk would, ideally, be overwritten,
with no permanent copy of it ever made.
--Tim May
"The government announcement is disastrous," said Jim Bidzos,.."We warned IBM
that the National Security Agency would try to twist their technology."
[NYT, 1996-10-02]
We got computers, we're tapping phone lines, I know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May | Crypto Anarchy: encryption, digital money,
tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets,
Higher Power: 2^1,257,787-1 | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."
Return to October 1996
Return to ““Timothy C. May” <tcmay@got.net>”