[558] in cryptography@c2.net mail archive
Re: Two crypto policy articles online
daemon@ATHENA.MIT.EDU (Ulf =?ISO-8859-1?Q?M=F6ller?=)
Wed Apr 16 19:55:15 1997
Date: Thu, 17 Apr 97 01:17 GMT+0200
From: 3umoelle@informatik.uni-hamburg.de (Ulf =?ISO-8859-1?Q?M=F6ller?=)
To: cryptography@c2.net, cypherpunks@cyberpass.net
In-Reply-To: <C0218920D6@frw3.kub.nl>
>we claim that criminals will not *gain* anything by using the PKI, as
>we assume that people will be free to use crypto outside of the PKI
>regardless.
What they do gain is that
* they can use the official key infrastucture by having their keys
signed and then use them for unescrowed ElGamal encryption, and
* they can make their communications look like harmless escrowed
messages which pass all tests, while in fact they are not.
>The potential merit of a binding PKI is that it provides
>an acceptable crypto infrastructure for those who want it
As has been pointed out before, the most plausible way to "abuse" the
binding PKI is not by generating invalid binding data, but by first
encrypting the message to the recipient's key only (either the ElGamal
key as provided by the PKI, or using PGP) and as a second step encrypt
the ciphertext to both keys.
As a consequence, the binding property can be ignored in any further
analysis.
Unless a single one escrow agent's key is hard-coded into the
software, decrypting these ElGamal superencrypted messages will even
be transparent to the user (using MIME or a similar scheme that
recursively calls the decryption routine). Otherwise, the user will
just have to obtain an other program that does not require one
particular EA key. Apart from that, one can always exchange PGP keys
and data inside signed and GAK-encrypted messages.
In respect to your criterion f, binding cryptography does not perform
any better than e.g. TIS key escrow.
