[hashcash] Re: Opportunistic signatures - a proposed design

  • From: "Eric S. Johansson" <esj@xxxxxxxxxx>
  • To: hashcash@xxxxxxxxxxxxx
  • Date: Sun, 29 Aug 2004 16:00:34 -0400

Atom 'Smasher' wrote:


let's say i send an email to my mom, and her MUA recognizes a pgp email header on my signed email. whether the mail was signed manually or automatically doesn't matter, here. anyway, her MUA informs her:
This email includes key information for "Atom Smasher". Would
you like to accept all emails signed by "Atom Smasher"?

that's all it takes. then her MUA creates a key-pair for her, and automatically signs outgoing messages... same thing happens when someone gets a message form her.

OK, I'll argue that you do not even need to see that message in the first place. Why not have her MUA look at recent traffic and say "she has sent e-mail to atom smasher three times. I've seen the same key from atom with a stamp three times. Therefore, let's assume any signatures created by this key is equivalent to a stamp made by atom. no need to bother mom. She has more important things to do."

seriously, the whole notification accept request messages would only serve to confuse and not enlightened. This is not to say you should not keep track of all of this information and making available on user requests but there's no need to throw in their face. Remember that users hate pop-ups of all forms whether they be from Web browsers or from alert boxes in the application.

so, the obvious weakness in automatically signing emails is that viruses will steal the key (large keys don't help), and then use it to send mail to everyone in that user's address book.

just as much as they can steal cycles from a users machine (100 addresses is not that much) and send hashcash stamped messages to everyone in your address book.

now, if i'm the sysadmin for a large bank, and my customers are targeted for phishing scams, then i'd be smart to use larger keys (among other obvious and non-obvious precautions). If you're owned, you are owned.

I have a friend who closely tied to an anti-phishing group. He has seen camram and thinks it could be very useful for anti-phishing especially if we can get the signature stuff straightened out. It's useful from two perspectives. First from the stamp reducing the volume of phisher traffic getting through the second is from the signatures being verifiable. But the whole concept of verifiable signatures gets into a very different discussion outside of hashcash/camram.

as an end user, do i benefit more from hashcash or signatures? i ~think~ hashcash is, overall, better. as a bank whose customers are targeted in phishing scams, do i benefit more from hashcash or signatures? i can protect myself much better if a PKI allowed customers to quickly identify if an email is *really* from me... domain-keys and SPF will both help with the problem of forgeries.

hashcash is an introducer. Opportunistic signatures allow for efficient distribution of mail to people who agreed to know each other (individuals and mailing lists). you can never really know if e-mail is "really" from you. They're too many ways for the identity process to be corrupted even if you meet the person face-to-face with appropriate documentation. You have no of knowing it's truly accurate. You need to understand where false information can be injected into the system and if you can corrupt human processes long before you ever go digital, then there is no hope. All you can do is trust people based on repeated exposure.

A friend of mine once shared with me a Brazilian saying which is that you never know anyone until you have eaten a bag of salt with them. It's an obvious metaphor for long-term exposure to another party in a variety of settings so you get to know them. Soviets knew this quite well as during the Cold War they would plant people in various countries, let them establish 20 or 30 years worth of history before calling them into action. So, as long ramble is basically to say, digital signatures aren't worth squat which is why they're useful for this particular purpose of spam resistance.

mind you, if we use the Russian dolls model of encryption (weak outside, strong inside) then it wouldn't matter so much because if you truly wanted to protect your contents, you would protect your contents explicitly. I'm mostly thinking about envelope level protection. 

============

SMTP-TLS seems to do that, for now... far from perfect, but better than nothing. of course, if my email is a secret, i still use pgp.

SMTP TLS only protects you when it's in transit. Not on the mail spools. Now granted depending on where you put this engine, you'll end up with similar exposure but if it's end to end, you'll have protection end to end.

---eric

Other related posts:

  1. Home
  2. hashcash
  3. Archive
  4. 08-2004