[146345] in cryptography@c2.net mail archive
Re: [Cryptography] PRISM PROOF Email
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Fri Aug 23 19:19:15 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <051a14af-c80b-4ecf-8ad2-688ff6ee7c28@email.android.com>
Date: Fri, 23 Aug 2013 18:53:27 +0100
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Philip Whitehouse <philip@whiuk.com>
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============7717589776794279167==
Content-Type: multipart/alternative; boundary=047d7b45105e73c86e04e4a11538
--047d7b45105e73c86e04e4a11538
Content-Type: text/plain; charset=ISO-8859-1
On Fri, Aug 23, 2013 at 6:02 PM, Philip Whitehouse <philip@whiuk.com> wrote:
> Let me just see if I get where you're going:
>
> So essentially you've increased the number of CAs to the number of
> companies without really solving the PRISM problem. The sheer number mean
> it's impractical to do much more than a cursory check before approval.
>
The number of CAs would not need to be very large, I would expect it to be
in the hundreds in a global system but that is pretty much a function of
their being hundreds of countries.
If example.com wanted to run their own CA for their own email certs then
the way to do it would be to issue them a cert signing cert that has name
constraints to limit its use to just name@example.com.
The idea is that there are multiple CAs but their actions are all vetted
for transparency and they all check up on each other.
Any one CA can be served with an NSL, but if they issue a coerced
certificate it will be immediately visible to the target. So a government
can perform a DoS attack but not get away with an impersonation attack.
> PRISM for email is bad because we don't even know who we can trust. I
> can't trust the provider because they could have been served an NSL. The
> provider has to see the metadata or they can't route the email. So I'm
> doomed. Best case is I can secure the contents and use an alternate name.
> At that point I need an organization I trust to act as my Omnibroker who
> for some reason I don't trust with the mail itself.
>
> One other question: PPE = Prism Proof Email?
>
> Nor do I think key chain length was the problem - initial key
> authentication and distribution is the first issue.
>
> Philip Whitehouse
>
Well the way that was solved in practice for PGP was Brian LaMachia's PGP
Key server :-) Which turned into a node of very high degree...
--
Website: http://hallambaker.com/
--047d7b45105e73c86e04e4a11538
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Fri, Aug 23, 2013 at 6:02 PM, Philip Whitehouse <span dir=3D"ltr=
"><<a href=3D"mailto:philip@whiuk.com" target=3D"_blank">philip@whiuk.co=
m</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex"><div>Let me just see if I get where you're going:</div=
>
</blockquote><div>=A0</div><blockquote class=3D"gmail_quote" style=3D"margi=
n:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204=
);border-left-style:solid;padding-left:1ex"><div>
So essentially you've increased the number of CAs to the number of comp=
anies without really solving the PRISM problem. The sheer number mean it=
9;s impractical to do much more than a cursory check before approval.<br>
</div></blockquote><div><br></div><div>The number of CAs would not need to =
be very large, I would expect it to be in the hundreds in a global system b=
ut that is pretty much a function of their being hundreds of countries.</di=
v>
<div><br></div><div>If <a href=3D"http://example.com">example.com</a> wante=
d to run their own CA for their own email certs then the way to do it would=
be to issue them a cert signing cert that has name constraints to limit it=
s use to just <a href=3D"mailto:name@example.com">name@example.com</a>.</di=
v>
<div><br></div><div><br></div><div>The idea is that there are multiple CAs =
but their actions are all vetted for transparency and they all check up on =
each other.<div><br></div><div>Any one CA can be served with an NSL, but if=
they issue a coerced certificate it will be immediately visible to the tar=
get. So a government can perform a DoS attack but not get away with an impe=
rsonation attack.</div>
</div><div><br></div><div>=A0</div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(20=
4,204,204);border-left-style:solid;padding-left:1ex"><div>
PRISM for email is bad because we don't even know who we can trust. I c=
an't trust the provider because they could have been served an NSL. The=
provider has to see the metadata or they can't route the email. So I&#=
39;m doomed. Best case is I can secure the contents and use an alternate na=
me. At that point I need an organization I trust to act as my Omnibroker wh=
o for some reason I don't trust with the mail itself.<br>
<br>
One other question: PPE =3D Prism Proof Email?<br>
<br>
Nor do I think key chain length was the problem - initial key authenticatio=
n and distribution is the first issue.<br>
<br>
Philip Whitehouse</div></blockquote><div><br></div><div><br></div><div>Well=
the way that was solved in practice for PGP was Brian LaMachia's PGP K=
ey server :-) Which turned into a node of very high degree...</div><div>
=A0</div></div><div><br></div>-- <br>Website: <a href=3D"http://hallambaker=
.com/">http://hallambaker.com/</a><br>
</div></div>
--047d7b45105e73c86e04e4a11538--
--===============7717589776794279167==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============7717589776794279167==--
