Padgett Peterson <PADGETT(_at_)hobbes(_dot_)orl(_dot_)lmco(_dot_)com> writes:
Adam Back <aba(_at_)dcs(_dot_)ex(_dot_)ac(_dot_)uk> writes:
I'm not clear on this last one, but it may even be that a pgp5.0
implementation knows how to reply to a CMR key also.
Source code is available, or am sure pgp will answer.
No answer so far. It would be quicker for someone who does know to
say yay or nay, than for me to read through the source. Or simply for
someone who has both pgp5.0 and pgp5.5 test rig to try it and see with
a CMR key to see what pgp5.0 thinks of it; and what pgp5.5 + policy
enforcer thinks of what pgp5.0 sends it in response.
However if Alice is using a key with CMR then the user using a client
which understands CMR keys will present the user with a choice:
Could. Sender would also have to have/be able to get the CMR key as it is
essentially an additional recipient.
The software will attempt to fetch the CMR key, if it is unable to do
this it will say so. (I think).
Some CMR keys will be marked to state that if the CMR key holder does
not use the application to say he wants to allow the CMR key holder to
read the information, that the message will not reach Alice, because a
CMR policy enforcer will bounce it back.
Correct: *but* in the event of a bounce, no one else can read the message
so privacy is maintained. Referring to the CIA triangle, confidentiality and
integrity have been maintained, it is availablity that has failed.
You are correct, availability has failed. This is a very effective
enforcement mechanism: if you wish to communicate with someone you
can't because the policy enforcement says "no", you either comply or you
lose the ability to send to that destination.
If this system were to be used for purposes other than those which
it's designers have envisaged, this enforcement could become
dangerous.
For example if it were installed in tinpotdictatorsville the
enforcement could result in the user having a "choice" not to
communicate with anyone at all. Availability would be 0%.
Even if you believe that PGP Inc will never get an export license to
tinpotdictatorsville, there will be other companies implementing to
the OpenPGP standard in countries with freer export regulations.
These people if they choose to implement to the OpenPGP standard, will
be forced to implement the CMR feature too, otherwise the software
will not interoperate.
In addition it is acknowledged that this is a weak enforcement in that
it is relatively easy to create messages which will fool the CMR
enforcement agent, which will still be decryptable by Alice.
That goes without saying: unless the policy server contains the CMR private
key (which will not happen unless someone is completely clueless) it will
be unable to do more than verify that something which appears to be the
CMR header exists in the file. Such an appendage would be trivial to add.
If the server could do more, THEN I would be concerned.
If you consider the case in tinpotdictatorsville above, it can do
more. This is the case we should be focusing on because it is the
case we are trying to avoid.
This is because even though you can hack around it, the dictator will
be able to tell you have hacked around it because he will not be able
to recover the plaintext.
You can use super encryption but that will be detected also.
Steganography, or other low bandwidth subliminal channels would work,
but such techniques are advanced, and PGP Inc are not making similar
scale efforts to develop and deploy these.
Also if Padgett is using pgp5.5 himself, and he attempts to send a
mail to someone living in tinpotdictatorsville, his client will
cooperate with the dictators wishes. If the CMR mechanism were not
used at all the dictator would find he had far less use for pgp5.6
(with CDR in place of CMR). This is because CDR does not provide any
third party access to communications. It provides third party access
for stored data. The dictator only has 1000 soldiers (it is a small
dictatorship), and they can only collect backup tapes from 100 houses
per day. They are never sure if the citizens aren't hiding another
machine somewhere. The process is inefficient and costs lots of
resources. In fact the dictators job is now much harder than it would
have been were PGP to keep the CMR method.
(CDR is Corporate Data Recovery. With CDR messages are sent encrypted
only for the recipients keys. Recovery is provided by storing
recovery information alongside the data. The recipient is presented
with a choice as to whether to archive a message, and whether to
enable recovery information. It is a more secure, and less dangerous
design.)
Adam
--
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U(_at_){$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`