ietf-openpgp
[Top] [All Lists]

Re: PGP CAKware & IETF controlled Open-PGP standard

1997-10-11 11:52:55
Adam Back writes:
I've read Matt's PolicyMaker paper.  I can see the attraction of
moving towards these generalisedl trust statement syntaxes.

I would be nice to see the topic of the recipient refusing email based
on policies relating to third party access to messages in transit
being addressed in the standard when and if PGP gets to that stage.

There are some nice uses for some types of recipient refusal.  Ecash
payment for message processing, or my less $ oriented hashcash
proposal also.  (The types of problem that can arise with real ecash
payment for receipt, which hashcash avoids is that if applied to
discussion forums, it can bias the forums to allowing through more of
what rich people have to say.  A similar argument perhaps applies to
email following up to comments made in public forums, you can only
reply to someone if you have the money.  Busy people may set very high
payment rates.)

This is a good example of a possible future kind of key assertion.
Are you confident that you can decide which kinds of recipient refusal
are morally correct and which kinds are not?  Is it the role of the IETF
and the Open-PGP process to make this determination?  I would say not.
Rather, we should standardize data structures and conventions which
allow people to express those conditions and assertions which are useful
to them.

The CMRK is one such type of assertion: "please cc to key X anything
encrypted for me".  The key is requesting that the specified other key
by an additional recipient on encryption.

I can see problems with this type of assertion.  I hope when the time
comes that a way to define a convetion or set of rules which disallows
this as part of the standard.

There are a whole range of possible assertions which you might object to:

 - All messages not encrypted to key X will not be read (subtly different
   from what we have now, in that it does not request you to encrypt to X,
   merely informs you that the recipient won't read it unless you do)

 - Message not signed by a key certified by signer X will not be read

 - All messages encrypted to this keyholder will be automatically copied
   to the holder of key X (corporation, etc.)

 - This key has been escrowed cooperatively (private component shared with
   a third party)

 - This key has been escrowed under duress by the keyholder of key X
   (corporation, etc.)

 - Only encrypt to this key using algorithm Z (where you consider Z weak)

You can take these case by case and decide for yourself whether each
one is acceptable or not by your own standards.  But I don't think it's
going to be possible to come up with a set of objective rules which will
decide whether any given assertion is allowed.

Fundamentally, you are asking to make it illegal for a key to request
encryption to an additional recipient.  That's what it comes down to.
You want to forbid this class of assertions.

Suppose a key wanted to delegate signing authority to another key.
"Treat signatures by key X as though they are by me."  Is that also
immoral?  Suppose a key said, "instead of encrypting to me, encrypt
to this other key."  Is this acceptable?  It could be part of a key
retirement process.  These possibilities are not so different in form
from requesting an additional recipient, but they might have uses which
you would endorse.

I think this approach of forbidding assertions is fundamentally flawed.
As I wrote, I expect to see us moving towards more expressive language,
which will inherently give the power to make assertions which some
people would object to.  That's the price you pay for expressive power.
In the English language people can say bad things as well as good.
I'm sure you would oppose restrictions on what people can say in English.
Why not apply the same principle to what people can say with their keys?

Rather than getting bogged down in trying to come up with a litmus test
for which assertions are allowed, I would rather see the group work to
improve the data structures and language used for expressing assertions.
What other kinds would people like to see?

Adam mentioned the idea of forward secrecy in email communications.
I'm not sure how that would work technically, but it sounds like
an interesting possibility.  Some people have suggested features to
facilitate anonymous communications.  New kinds of signatures like
untransferrable, designated-verifier, group and threshold signatures
are worth discussing.  There are a lot of features I would like to see
us moving towards.  But artificially limiting the expressive power of
key assertions is the opposite of the direction we should be going.

Hal Finney
hal(_at_)rain(_dot_)org
hal(_at_)pgp(_dot_)com