[hashcash] Re: Opportunistic signatures - a proposed design
- From: Atom 'Smasher' <atom@xxxxxxxxxxxxxx>
- To: hashcash@xxxxxxxxxxxxx
- Date: Sun, 29 Aug 2004 15:20:23 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sun, 29 Aug 2004, Eric S. Johansson wrote:
Atom 'Smasher' wrote:
well, I'm on the opinion that the user should never ever see there is a
key unless they have a specific security need to do so. Think about the
most successful systems with encryption today: SMTP/TLS and HTTPS
<<snip>>
===================
i couldn't agree more: zero user interaction is key to widespread use. the
trick, with any PKI, is making it both useful and invisible.
in the meantime, only geeks will allow signed messages to bypass
further checks. i think that signatures and hashcash serve different
purposes, and to that extent the technologies are complimentary... if i
have your key in my keyring you can sign a message and it won't be
subject to filtering... but if i don't know you, then hashcash will do
the same thing. also, i may not want to sign an email with my key
(maybe i'll want to deny later that i authored it)... in that case,
hashcash is more valuable.
the whole point behind signatures (in this context) is to indicate
automatically that the message is from someone I know. Not from someone
pretending to be someone I know but actually someone that I know and
have exchanged e-mail with in the past. That's it. End of requirements
(sort of). It's not to have any greater level of meaning. That's for
someone else's concern. It's just "it says it's from Joe, does it look
like his signature?"
=================
let's say i send an email to my mom, and her MUA recognizes a pgp email
header on my signed email. whether the mail was signed manually or
automatically doesn't matter, here. anyway, her MUA informs her:
This email includes key information for "Atom Smasher". Would
you like to accept all emails signed by "Atom Smasher"?
that's all it takes. then her MUA creates a key-pair for her, and
automatically signs outgoing messages... same thing happens when someone
gets a message form her.
well, here's the question how fast can you for someone's key if it's a
small number of bits. After all, that's what all of our techniques boil
down to. If I use a public key system with 256 bits, how fast can
spammer fake being me? What's a reasonable lower floor?
=================
not that big a problem to use <512 keys here... first of all, keys will be
easier to steal than break (when used on inferior operating systems), so
why would anyone try breaking one? second, let's say my mom's MUA uses a
default of 256-RSA keys, and someone breaks that key... what good is it?
they can use it to get past the filter of everyone who she exchanges email
with... NOT worth the effort for getting past 100 or so filters!
so, the obvious weakness in automatically signing emails is that viruses
will steal the key (large keys don't help), and then use it to send mail
to everyone in that user's address book.
now, if i'm the sysadmin for a large bank, and my customers are targeted
for phishing scams, then i'd be smart to use larger keys (among other
obvious and non-obvious precautions).
as an end user, do i benefit more from hashcash or signatures? i ~think~
hashcash is, overall, better. as a bank whose customers are targeted in
phishing scams, do i benefit more from hashcash or signatures? i can
protect myself much better if a PKI allowed customers to quickly identify
if an email is *really* from me... domain-keys and SPF will both help with
the problem of forgeries.
now, if we add the requirement that we want to also encrypt e-mail in
transit, again, what's the size of the organization that can regenerate
my key, how long would take, etc.
===========
depends on your threat model. my mom would be "safe" with small keys... my
bank would not be.
mind you, if we use the Russian dolls model of encryption (weak outside,
strong inside) then it wouldn't matter so much because if you truly
wanted to protect your contents, you would protect your contents
explicitly. I'm mostly thinking about envelope level protection.
============
SMTP-TLS seems to do that, for now... far from perfect, but better than
nothing. of course, if my email is a secret, i still use pgp.
...atom
_________________________________________
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"What you are seeing is not just a consolidation of seed
companies, it is really a consolidation of the entire food
chain. Since water is as central to food production as seed
is, and without water life is not possible, Monsanto is now
trying to establish its control over water."
-- Robert Farley, Monsanto
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJBMix+AAoJEAx/d+cTpVci8goIALNY0/8H94Ep/sVDNCoR/vyn
aMFHN34t+XrQL94cYxnK/Xvwn69Mli3D0EehCevYF1bQeINPFx4s1A3fsUgdhxe8
lv3WiiJZeNuCY7rH2PqVvYYZdE2JHdZAHIiPCDiTOZTLFY7n91w9ZLRgDExdgXpY
OEQwXrMq8Jesqx2Qul8X0Fg1fECKmD1Dt0nXwFhqv6lXTN6td7fSLeLWwe0/KYJL
4GuWQ++KQh+AlB9H8Hlphw17niwrZiCokQdZfFRefgY1dWP7HylzB/yZ/NegNH2U
pro3n9TF3bd0rLRD9GzfEDPU+wseanfi9VgFGtgv5l45DZvqASdrcSRJmcpO71k=
=EgJl
-----END PGP SIGNATURE-----
Other related posts:
