ietf-openpgp
[Top] [All Lists]

Re: Just say NO to key escrow or CMR/ARR revisited

1997-11-05 08:37:08

Ian Brown <I(_dot_)Brown(_at_)cs(_dot_)ucl(_dot_)ac(_dot_)uk> writes:
Debating what should or should not be in the Open-PGP specs based on what
law some government may or may not pass in the future does not have a
place here.

!!

Au contraire. The overall aim of this exercise is (at least, I used to
think) to improve everyone's privacy and prevent Big Brother taking
over. To quote Phil Zimmerman:

"It's poor civic hygene to install technologies that may someday
facilitate a police state."

[Source: Bruce Schneier]

I would say a central principle of Open PGP design should be that we do
not do this.

Perhaps people would get the picture better if the NSA or NIST were to
join in this standardisation process, and ask for support for Lotus
notes like backdoors.  (Some of message key bits sent to CMR/GMR key
belonging to NSA resulting in 40 bits for NSA to break, and more bits
for everyone else to break)

If the NSA tried to put this in the standard there would be uproar.
If IBM, or TIS tried it also.

Because it is PGP Inc is trying CMR people's reasoning abilities kick
out "It can't be bad... PGP Inc are doing it".  "You don't understand
it's very privacy respecting".  Sheesh.

To the people who will jump in and say this post is off topic, it is
_not_ off topic.  CMR is poor design, and we are presenting the case
for why it should be either removed out right, or at least phased
out...

Security-wise: CMR is crap.  It is a security risk.  We've gone over
and over the risks of CMR and of simple obvious ways to reduce those
risks.  PGP Inc are having situations where 2, 3, 4 or even more long
term keys will be able to decrypt traffic for all time.  Attackers can
easily archive email as it goes over the Internet.

Ergonomics-wise: CMR is crap.  You can't recover from forgotten
passwords gracefully -- you've got to re-encrypt everything with the
employees new key.  I predict companies will use local escrow AND CMR
if this persists, and this is doubly dangerous because they'll escrow
the signature keys, and personal use keys too.

Politically: The brand name "PGP" has certain reputation behind it.
Lots of people have helped to give that brand name value.  We don't
want it associated with CMR/GMR techniques.


Those who want CMR in the standard had better start making a good case
for why that is necessary, and what advantages it has.  I can't see
that it has _any_.

Perhaps our IETF chairperson could help conduct a civilised discussion
of this question whilst we are waiting for the draft.  There seems to
be agreement on the MUST/SHOULD/MAY status of various ciphers, and
nothing much else to discuss in the interim.

Adam