[hashcash] Re: Opportunistic signatures - a proposed design

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sun, 29 Aug 2004, Eric S. Johansson wrote:
Atom 'Smasher' wrote:

well, I'm on the opinion that the user should never ever see there is a key unless they have a specific security need to do so. Think about the most successful systems with encryption today: SMTP/TLS and HTTPS 
<<snip>>
===================

i couldn't agree more: zero user interaction is key to widespread use. the trick, with any PKI, is making it both useful and invisible.


in the meantime, only geeks will allow signed messages to bypass further checks. i think that signatures and hashcash serve different purposes, and to that extent the technologies are complimentary... if i have your key in my keyring you can sign a message and it won't be subject to filtering... but if i don't know you, then hashcash will do the same thing. also, i may not want to sign an email with my key (maybe i'll want to deny later that i authored it)... in that case, hashcash is more valuable.

the whole point behind signatures (in this context) is to indicate automatically that the message is from someone I know. Not from someone pretending to be someone I know but actually someone that I know and have exchanged e-mail with in the past. That's it. End of requirements (sort of). It's not to have any greater level of meaning. That's for someone else's concern. It's just "it says it's from Joe, does it look like his signature?" 
=================

let's say i send an email to my mom, and her MUA recognizes a pgp email header on my signed email. whether the mail was signed manually or automatically doesn't matter, here. anyway, her MUA informs her:
This email includes key information for "Atom Smasher". Would
you like to accept all emails signed by "Atom Smasher"?

that's all it takes. then her MUA creates a key-pair for her, and automatically signs outgoing messages... same thing happens when someone gets a message form her.


well, here's the question how fast can you for someone's key if it's a small number of bits. After all, that's what all of our techniques boil down to. If I use a public key system with 256 bits, how fast can spammer fake being me? What's a reasonable lower floor? 
=================

not that big a problem to use <512 keys here... first of all, keys will be easier to steal than break (when used on inferior operating systems), so why would anyone try breaking one? second, let's say my mom's MUA uses a default of 256-RSA keys, and someone breaks that key... what good is it? they can use it to get past the filter of everyone who she exchanges email with... NOT worth the effort for getting past 100 or so filters!

so, the obvious weakness in automatically signing emails is that viruses will steal the key (large keys don't help), and then use it to send mail to everyone in that user's address book.

now, if i'm the sysadmin for a large bank, and my customers are targeted for phishing scams, then i'd be smart to use larger keys (among other obvious and non-obvious precautions).

as an end user, do i benefit more from hashcash or signatures? i ~think~ hashcash is, overall, better. as a bank whose customers are targeted in phishing scams, do i benefit more from hashcash or signatures? i can protect myself much better if a PKI allowed customers to quickly identify if an email is *really* from me... domain-keys and SPF will both help with the problem of forgeries.


now, if we add the requirement that we want to also encrypt e-mail in transit, again, what's the size of the organization that can regenerate my key, how long would take, etc. 
===========

depends on your threat model. my mom would be "safe" with small keys... my bank would not be.


mind you, if we use the Russian dolls model of encryption (weak outside, strong inside) then it wouldn't matter so much because if you truly wanted to protect your contents, you would protect your contents explicitly. I'm mostly thinking about envelope level protection. 
============

SMTP-TLS seems to do that, for now... far from perfect, but better than nothing. of course, if my email is a secret, i still use pgp.


        ...atom

 _________________________________________
 PGP key - http://atom.smasher.org/pgp.txt
 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
 -------------------------------------------------

        "What you are seeing is not just a consolidation of seed
         companies, it is really a consolidation of the entire food
         chain. Since water is as central to food production as seed
         is, and without water life is not possible, Monsanto is now
         trying to establish its control over water."
                -- Robert Farley, Monsanto
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures

iQEcBAEBCAAGBQJBMix+AAoJEAx/d+cTpVci8goIALNY0/8H94Ep/sVDNCoR/vyn
aMFHN34t+XrQL94cYxnK/Xvwn69Mli3D0EehCevYF1bQeINPFx4s1A3fsUgdhxe8
lv3WiiJZeNuCY7rH2PqVvYYZdE2JHdZAHIiPCDiTOZTLFY7n91w9ZLRgDExdgXpY
OEQwXrMq8Jesqx2Qul8X0Fg1fECKmD1Dt0nXwFhqv6lXTN6td7fSLeLWwe0/KYJL
4GuWQ++KQh+AlB9H8Hlphw17niwrZiCokQdZfFRefgY1dWP7HylzB/yZ/NegNH2U
pro3n9TF3bd0rLRD9GzfEDPU+wseanfi9VgFGtgv5l45DZvqASdrcSRJmcpO71k=
=EgJl
-----END PGP SIGNATURE-----

Other related posts: