On Fri, 1 Oct 2004, william(at)elan.net wrote:
On 1 Oct 2004, John Levine wrote:
> The first is what the signature is intended to protect. S/MIME and
> PGP are provide long-term verification. I can pick a message out of
> an archive that's two years old and check the PGP or S/MIME signature.
> That's sometimes useful, but it means that the signatures have to be
> extremely resistant to all of the stuff that might happen to a message
> in transit or storage, and have to be strong enough to resist an
> attacker that's willing to leave a key cracker running in the
> background for months.
To be more accurate to what John said, PGP and S/MIME offer not just
signing the message but encrypting it and encryption requires strong
cryptography, so that publicly viewed text can not be easily decrypted.
Signing does not require this all by itself as you already know the
text.
Clarifying further, the current profile of PGP and S/MIME require strong
cryptography, but neither PGP nor S/MIME intrinsically require it. The
strength of the cryptography is related to the key size, and that is
selected based on criteria outside the scope of both core technologies.
Further, signatures require strong cryptography if you expect them to be
valid (known not to be forged) at some time in the future.
Alternatively, timestamp and CRL archiving may be an option. But this
discussion is beyond a charter discussion
And, encryption does not require strong cryptography if the value of the
protected information is short-term. But this discussion is beyond a
charter discussion.
> STARTTLS protects a channel, but it's not end
> to end and not per-message. I think the intention in MASS is to
> verify a message during an end-to-end delivery process that typically
> takes a few seconds, and at the outside takes a week,
Basicly it means while we can expect message to be verifiable during
maximun delivery timeframe (or double/triple normal 5-day delivery
timeframe), after that the signature verification is no longer important.
This basicly allows for fast rotation of keys to protect against possible
attacks against the system.
I agree this is an reasonable criterion for this effort, and easily
incorporated into PGP or S/MIME by an appropriate choice of key size
(see above).
> and (debatably)
> doesn't have to survive all of the mangling that might happen to
> messages as they pass through mailing lists and the like.
This I STRONGLY SGRONGLY disagree. The system MUST be able to work
within current email infrastructure and not break it. That means
the signature must survive emails and forwarders and all other common
email retransmision systems.
I'm with John. This is a debatable requirement. Indeed, if the
validity of the signature is short-lived then long-term survival is not
an intrinsic service; you need to apply additional actions to achieve
it. So we do need to decide if we want long-term survival.
But we can debate this later.
Jim