From: Adam Back <aba@dcs.ex.ac.uk>
To: whgiii@invweb.net
Message Hash: 5af6072b94d439b56beb8cf9a3d879c1b31b9a3dedbb30cad561c28ef7bef88c
Message ID: <199710111017.LAA01278@server.test.net>
Reply To: <199710110517.BAA22561@users.invweb.net>
UTC Datetime: 1997-10-11 11:02:53 UTC
Raw Date: Sat, 11 Oct 1997 19:02:53 +0800
From: Adam Back <aba@dcs.ex.ac.uk>
Date: Sat, 11 Oct 1997 19:02:53 +0800
To: whgiii@invweb.net
Subject: Re: PGP CAKware & IETF controlled Open-PGP standard
In-Reply-To: <199710110517.BAA22561@users.invweb.net>
Message-ID: <199710111017.LAA01278@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain
William Geiger <whgiii@invweb.net> again:
> In <199710110154.CAA06536@server.test.net>, on 10/11/97
> at 02, Adam Back <aba@dcs.ex.ac.uk> said:
> >Jon Callas <jon@pgp.com> writes:
> >> I am adamantly opposed to any of PGP's business features being MUST
> >> features of OpenPGP. If they were, then our freeware and personal
> >> privacy products wouldn't be conforming applications, and we have
> >> *no* intention of putting them in those products. Wouldn't that be
> >> an interesting situation?
>
> >I may be misunderstanding something here, but could you tell me how PGP
> >freeware and PGP personal privacy can simultaneously not have recognition
> >of GAK compliant keys, and emit messages telling the users that this is a
> >GAK key (on receipt of the flag you described), and emit messages warning
> >the user that the email will not be delivered (on receipt of that other
> >flag you described).
>
> I didn't see where Jon said that the other versions versions of PGP would
> not recognize these keys.
Neither did I. But the question at hand is whether the IETF OpenPGP
should recognize them.
> What Jon did say is that they would not generate these keys nor
> force compliance with encryption to a second key. I myself would
> want to know that a message encrypted with key A is also being
> encrypted with key B though haveing this info in the public key
> itself is not necessary.
I'd argue that it's more than just not necessary, having the
information in the public key is the sole reason I'm arguing that this
is a GAK compliant feature.
> >If it's defined as being compliant to ignore both of these flags, and the
> >message snooping key then users email will bounce without warning.
>
> I don't see this as a problem. My Twit/SPAM filter bounces messages
> without warning. As a matter of fact most bounced messages are done so
> without warning. :)
Not very intuitive to the user though is it. Also not a very strongly
optional feature if 80% of businesses end up bouncing your mail back
at you because you're "choosing" not to be GAK compliant.
> >If it's defined to silently send to second crypto recipient, you have
> >fully interoperable GAK compliance built in to the core of PGP. If PGP
> >Inc will remove the GAK compliance when GAK becomes mandatory, I'm sure
> >there are other companies who won't have a problem selling out to GAK (eg
> >IBM, or TIS).
>
> This is a stereotypical Strawman. "Even if PGP avoids GAK some other 3rd
> party can modify it to be Gakware."
Not so fast there. That isn't the stated problem. The problem is
that not only can some 3rd party adopt it (no modifications necessary,
that's why I'm dubing it "GAK compliant"), but that the rest of the
compliant OpenPGP standards would automatically cooperate to some
degree, and we would thereby be streamlining the migration path to
mandatory GAK. If PGP retract the GAK compliancy feature, by removing
the functionality in the key, we won't be calling it GAK compliant.
They (and any other government or corporate message snooping feature
implementors) can achieve message snooping without adding this
functionality to the OpenPGP standard.
> Every version of PGP had the ability to encrypt to multiple
> recipients. As I stated in my previous posts I can get PGP 2.6.x to
> do everything 5.5 does with a couple of scripts. Are you no willing
> to take the position that ALL versions of PGP are GAK compliant???
No, they are not. I've argued in reply to your other post why this is
clearly not so. The difference is that PGP is creating a new animal:
a key which it is defined will be auto-encrypted to two keys by the
_sender_. Variations being discussed being auto-encrypt with user
query, or auto-encrypt with user override to disable. Regardless, the
fact that PGP is encouraging the process of enforcing this dubious
security practice via their policy enforcer means that users are
forced to use the GAK compliancy feature to get through to any
corporates who are using PGP's method of implementing corporate
message snooping.
> >If it's defined to warn but give the option to send to second crypto
> >recipient, well you've still got mandatory GAK compliance, but you've got
> >a pretty little warning that you've got mandatory GAK to rub your nose in
> >the fact for each message you send too.
>
> No this is not mandatory GAK compliance. Mandatory GAK compliance
> would be if every copy of PGP came with a government key and the
> program *forced* the user to encrypt all his messages with it. This
> is really turning into a shameless FUD campagne on your part Adam
> worthy of David "FUD" Sternlight himself.
It's less strongly enforced GAK compliance, but I think it is still
a form of GAK compliance.
To see why this might be, consider the effects of 80% of the business
community using this feature, and you as a pro-privacy cypherpunk type
(you are pro-privacy aren't you?). Consider also that government has
mandated that companies hand over their message snooping master key to
the Feds.
Now what happens. In the above, you have the "option" not to use the
GAK compliance feature in that you can still send a message, but the
option won't be worth much in that the recipient will be unable to
read it. If lots of people are using this system, that will cut you
off. You will be unable to send email to these people. It's all very
well to say you have the "choice" not to do business with them, but
your choices may be severely restricted.
I hope that following from this discussion you can see the advantages
of PGP switching to the use of the normal multiple crypto recipient
field to acheive this message snooping functionality. It doesn't
apply at all to the recipient. The snooping of received email for
those using PGP 5.6 "message snooping for businesses" is done after
decryption in the PGP5.6 "for message snooping enforcing" client. The
snooping of sent mail for users of PGP5.6 "for message snooping
enforcement" client is done inside the corporate LAN as the message
snooping packet security leak prevention functionality built in to the
PGP 5.6 "SMTP prevention of security leaks enforcer" strips out the
second message snooping crypto recipient packet.
> As far as I am concerned you have not proven your case that PGP 5.5
> is GAK compliant. Your general argument that PGP 5.5 has the
> potential to be GAK can cover *ALL* version of PGP. Any system that
> allows encrypting to multiple recipients can easily modified into a
> GAK system.
You may have not been convinced of the case, but that is because you
have not considered the long term picture, interoperability issues,
and utility to GAKkers of having GAK compliant features in the IETF
OpenPGP standard.
The argument that pgp5.5 has mandatory GAK compliancy does not in any
way apply to older versions of PGP.
PGP 2.x can support voluntary GAK in that the user can send to a
second key that the NSA generates for thme.
It is the features which move the enforcement of this functionality
into the senders client, and the fact that the "optional" nature
becomes weakly optional (meaninglessly optional) if you consider
scenarios where most businesses are using the pgp5.5 SMTP policy
enforcer to bounce your email unless it complies, and where business
are legally required to use such policy enforcers, and businesses are
legally required to hand over the master corporate snooping key to the
GAKkers to go in the NSA database.
> >I gave lots of examples of other ways to achieve the claimed
> >functionality of recovering stored data. Achieving hard to circumvent
> >corporate email snooping functionality is harder to achieve without CMR.
> >You can do some, but not quite as much. But corporate snooping wasn't on
> >your stated list of user requirements. And it's not very savory anyway.
>
> I think this is your real issue here. You don't like the ideal of a
> company haveing access to their documents. If that's how you feel then
> make your case so it can be judged on it's merits.
That's a separate argument entirely. I believe that I have shown
security advantages in not doing corporate message snooping in the way
that PGP is "proposing" (by steaming ahead and implementing and
deploying it outside of the IETF OpenPGP process). In addition I made
the point earlier that any form of message snooping is weak... there
are many ways for the determined employee to by pass it. The only
real protection is surveillance cameras, tamper-resistant key board
logs, and body cavity searches at the door. So if enforcement is weak
anyway, it seems sensible to trade some small percentage of this
enforceability for enhanced security.
I went to great pains to detail other more secure, and entirely
feasible methods of assuring corporate message snooping functionality
can be built.
I also clearly distinguised between stored documents and documents in
transit in transient communications mediums.
In addition I argued for key escrow of storage keys as good company
backup policy.
You have not been paying attention here, or are playing the function
of the luddite, refusing to accept that better security is obtained by
separating the functionality of encryption keys and storage keys.
A similar example might be if you were to refuse to countenance the
suggestion that having separate signature and encryption keys is
better than not doing using as an argument perhaps the fact that
pgp2.x has been using the same key for both purposes for years.
The point of the IETF OpenPGP standardisation process is to explore
the options and decide on the best technical approach, which is in the
interests of the Internet community.
Adam
--
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
Return to October 1997
Return to ““William H. Geiger III” <whgiii@invweb.net>”