Len Sassaman wrote:
On Thu, 11 Aug 2005, Ian G wrote:
(Does anyone want us to take this offline? Just
shout...)
Right but this needs to be integrated into the
real world. Firstly, what does that signature
mean? What was it doing there? Because this
question is unanswered, and I'd say, unanswerable,
most people (in my experience) don't use signed
email. They simply encrypt.
Right. I'm one of those people. This does, however, leave one open to MITM
attacks -- which are probably not that large of a threat in the general
case, but when dealing with centralized, proprietary IM systems, could
very well be a realistic problem. (This is why Trillian's SecureIM
solution fails my sniff test.)
Right. That's an interesting point. So GAIM
uses AIM which is a proprietary IM system. Now,
if that was all it was, *and* one assumed that
MITM in AIM was a real threat, then this would
be plausible logically, but still weak in terms
of validation.
The node threats are well documented: they are
the viral and spyware threats on each party's
nodes, and the party defection threat (your wife
takes you to court, your boss grabs all your
messages from others). So even in the face of an
attacker who could conduct an MITM at AIM level,
he still has better opportunities in keyloggers
and so forth on your or your counter party's
machine, and he's much more likely to go for an
attack he can blame on someone else than to drag
in AOL into an active attack. AFAIK, the TLAs
will happily insert viruses and keyloggers into
your PC, but they won't do an MITM.
So why bother to defend against an unvalidated
MITM attack and ignore the validated attacks
that the user is actually having to deal with?
In short, ignore MITM, or slot it later on. Look
at what PRZ's new VoIP product does - sets up a
chain of hashes. Why? Because he's been thinking
about unprotected email and PGP email for the last
15 years, and he can see that MITM, if it exists,
is a very very specialised threat that does not
effect the 99.99% of the body net.
(anyone found any doco on that btw?)
Secondly, the way court works is that if one
party tables a message, it's generally accepted
at face value. In practice, the mere presence
of the message is its own authentication.
Actually, rules of evidence are a lot more complicated, particularly in
criminal proceedings. It's pure speculation on my part to assume a
non-reputable signature on a message would lessen doubt about tampering
when presented to a third party, but I think it's reasonable speculation,
and a problem worth avoiding.
Of course. I'm speaking from the small experience
of having seen several (digitally) signed
documents being presented in a couple of civil
forums so it's an empirical observation, and there
simply isn't enough experience to deal with this
question.
But in sum, the digsigs were considered "mostly
harmless". At least, whatever view we techies
have for digsigs was not matched by the way they
were received.
One of the reasons
is that neither side dared to question the
authenticity of a document that was tabled,
signed or unsigned. That's because the risk
of being shown to be wrong was extraordinarily
high, so what tended to happen was that both
sides said "they had not seen that document"
which shifts the attention to whether the doc
was seen by both parties, something that the
digsig doesn't cover.
OTR allows is users to have strong authentication of encrypted messages
without the *additional risk* that normal digital signatures introduce.
Turn it around and ask how important strong
authentication is? When was the last time you
needed it in email or IM? I suggest it is something
that we inherited from some military threat model
that isn't really relevant to our environment.
I can't agree with this, particularly in the IM environment. It would be
trivial for one of the large IM service providers to intercept encrypted,
but unauthenticated traffic through their systems. If you don't trust the
IM service provider, it is essential that you have end-to-end encryption
and authentication.
No, this is all based on conjecture. Normal
rational users, if they don't trust the IM
service provider either switch to another,
guard their talk such that it doesn't matter,
or use nyms.
And, practically speaking, the cost to the
IM service provider in challenging that trust
is way way higher than any plausible benefit
that users could lose if they were MITM'd.
It's just not a threat that matters that much,
even though it is trivial to show that it is
possible. Covering the MITM is as relevent as
a bullet-proof pocket protector. Nice for geeks
to own, but not a fashion accessory that users
are likely to go for.
brought up in court, Alice might be in a
strictly worse position. On the one hand,
she is being dared to lie to the judge,
and on the other, she's been seen to use a
tool that has a sole advantage of repudiation.
I'd hardly say that OTR's sole advantage is repudiation. Transparent
encryption, perfect forward secrecy,
Those are very valuable.
and a quickly growing user-base are
also significant advantages. OTR is a privacy tool. Avoiding the
non-repudiation trap is a form of privacy.
>
Simply put, users shouldn't be forced to make non-repudiatable attestations
in order to achieve privacy for their communications.
No, this is to assume that dig sigs are indeed
non-repudiable attestations. It's very easy
to repudiate a digital signature. You just say
you are using some proxy tool and you have no
idea what it does. The non-repudiable digsig
is a mistake by the crypto community, best off
being totally expunged from the language.
Don't try and repair such a badly broken tool,
remove it from the toolbox and throw it away.
It's complications like these that mean that we
recommend that you should never sign using digsigs
unless you know what it means. And also why the
protocols have moved over to using secure MACs,
as they don't carry the same stigma as having
any meaning outside the protocol.
iang