[2087] in cryptography@c2.net mail archive
Re: statement of intent, security of CMR (Re: GAK and S/MIME)
daemon@ATHENA.MIT.EDU (Adam Back)
Wed Jan 28 15:50:39 1998
Date: Tue, 27 Jan 1998 22:13:01 GMT
From: Adam Back <aba@dcs.ex.ac.uk>
To: andreas@artcom.de
CC: colin@nyx.net, cryptography@c2.net
In-reply-to: <y8ag1mb9o62.fsf@horten.artcom.de> (message from Andreas Bogk on
26 Jan 1998 17:48:37 +0100)
We are trying to design systems which provide corporate email archive
availability requirements without being useful to governments.
Simplest of all! -- don't encrypt email archives, store them
plaintext. Use non escrowed communications keys. If that is not good
enough, do as James Donald suggested -- have company escrowed keys for
storage only, and don't escrow communications keys.
Then if governments want copies of the companies storage escrow keys,
they can have them for what they are worth because the spooks:
- have to raid offices to obtain the disks containing the ciphertext
- not employ fishing expeditions or mass keyword scanning
Situations where a group of people need to be able to read email to an
address (such as a sales team when one team member is away) can be
addressed with shared keys, or with Matt Blaze's proxy cryptography
techniques to translate messages from one recipient to another.
Andreas Bogk <andreas@artcom.de> writes:
> I'm not really sure if to buy the political argument. After all, the
> weak point is enforcment of the policies, and it is equally difficult
> to enforce the usage of escrowed keys or CMR keys.
>From a purely practical view point, the government can't enforce
policies where the software to achieve GAK does not exist, and is not
deployed. PGP seems to be inadvertently building and deploying it for
them.
> After all, the government could force manufacturers of MUAs with PGP
> support to automatically include an additional recipient. This even
> works with PGP 2.x. So CMR doesn't make access to communications any
> easier.
CMR is a bit worse because it means that you as the sender have
software which can cooperate with other peoples escrow requests.
> >> And by pushing the cryptographic operation to the sender, the
> >> system *must* have the sender's cooperation.
> Adam> The sender is not typically aware of underlying protocol
> Adam> details. Whether the implementation presents the user with
> Adam> a choice is an implementation issue. The command line unix
> Adam> version of one or more of the pgp5.x versions in fact does
> Adam> not present this choice I think.
>
> A program which doesn't offer a choice, and doesn't explain to the
> user the result of using the feature should be considered insecure. I
> don't think that a dialog box asking the user if he wishes to make the
> message readable to the following additional reciepients is hard to
> understand.
Ah, yes, but it doesn't stop there -- if the user "chooses" not to
include the additional recipient the mail is bounced (if PGP's SMTP
policy enforcer is so configured). If the government adopts this
mechanism, that will mean you can not send mail unless you comply, to
companies running PGP5.x software. The wedge governments will then
use is to demand that companies configure their software to include
NSA as an additional recipient to everything.
> Adam> One particular problem with the CMR mechanism is that it
> Adam> fails to maintain the availability of archived mail. This
>
> Weren't you suggesting separate storage keys?
Yes, but PGP 5.x does not use separate keys.
Adam
