Ian Grigg <iang(_at_)systemics(_dot_)com> writes:
Jon Callas <jon(_at_)pgp(_dot_)com> writes:
[forward secret TLS]
It is hard from a standards and deployment issue.
It is easy to do if we assume that that we control all the software. If
we assume that the software concerned is the PGP policy encforcer - on
both sides of the exchange - then there is no difficulty about putting
together a simple protocol that allows the *policy enforcers* to
exchange keys and use them for PFS.
It would be non-compatible with other mailers, true, but that's what
experimentation is about, right?
If I was PGP Inc I would be doing this and using it as a selling point
... we have forward secrecy between corp offices for those who use it.
ACME corp has pgp5.5, you don't you use TIS cakware without PFS... are
you going to buy in to better security or what? (Rest assured TIS
cakware won't be including PFS ... that will screw up GAK friendliness
which they have profit incentives to add (due to sensitivity to
government contracts)).
Even if you don't bother at all with authentication (to prevent MITM)
this is a major, major win, because active MITM attacks are much
harder for governments to perform pervasively. Same for any other
attackers, especially non governmental ones, MITM is not that easy to
pull off.
Worry about authentication later. Perhaps boot strap it off
IPSEC/IPv6 in a few years.
Now, if we put in place this scenario, you might be able to make a case
that the enforcment or strict option on the SMTP filter should only be
turned on when you have the PFS in place.
I haven't developed this fully, but it does have the advantage of
allowing a migration path from our current situation.
This is seriously clever, Gary. If long term this TLS takes off in
the same way that SSL did, everyone will be using it anyway. PFS TLS
is a major security and GAK resistant win. Governments need copies of
all the transient forward secret keys. They have to modify software
to get them, because
You can then use this as a base to ramp up user controlled forward
secret keys to further increase security and government resistance.
(Stuff which I described earlier as even more government resistant,
and privacy preserving technology).
Long term GAK resistance is possibly more important than immediate GAK
resistance even. It may take governments another couple of years to
get to optimum GAK argument, and persuade everyone.
This propsal is a winner in my view, and easy for PGP Inc to
implement, right now.
Adam
--
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U(_at_){$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`