[hashcash] Re: Opportunistic signatures - a proposed design
- From: "Eric S. Johansson" <esj@xxxxxxxxxx>
- To: hashcash@xxxxxxxxxxxxx
- Date: Sun, 29 Aug 2004 16:00:34 -0400
Atom 'Smasher' wrote:
let's say i send an email to my mom, and her MUA recognizes a pgp email
header on my signed email. whether the mail was signed manually or
automatically doesn't matter, here. anyway, her MUA informs her:
This email includes key information for "Atom Smasher". Would
you like to accept all emails signed by "Atom Smasher"?
that's all it takes. then her MUA creates a key-pair for her, and
automatically signs outgoing messages... same thing happens when someone
gets a message form her.
OK, I'll argue that you do not even need to see that message in the
first place. Why not have her MUA look at recent traffic and say "she
has sent e-mail to atom smasher three times. I've seen the same key
from atom with a stamp three times. Therefore, let's assume any
signatures created by this key is equivalent to a stamp made by atom. no
need to bother mom. She has more important things to do."
seriously, the whole notification accept request messages would only
serve to confuse and not enlightened. This is not to say you should not
keep track of all of this information and making available on user
requests but there's no need to throw in their face. Remember that
users hate pop-ups of all forms whether they be from Web browsers or
from alert boxes in the application.
so, the obvious weakness in automatically signing emails is that viruses
will steal the key (large keys don't help), and then use it to send mail
to everyone in that user's address book.
just as much as they can steal cycles from a users machine (100
addresses is not that much) and send hashcash stamped messages to
everyone in your address book.
now, if i'm the sysadmin for a large bank, and my customers are targeted
for phishing scams, then i'd be smart to use larger keys (among other
obvious and non-obvious precautions). If you're owned, you are owned.
I have a friend who closely tied to an anti-phishing group. He has seen
camram and thinks it could be very useful for anti-phishing especially
if we can get the signature stuff straightened out. It's useful from
two perspectives. First from the stamp reducing the volume of phisher
traffic getting through the second is from the signatures being
verifiable. But the whole concept of verifiable signatures gets into a
very different discussion outside of hashcash/camram.
as an end user, do i benefit more from hashcash or signatures? i ~think~
hashcash is, overall, better. as a bank whose customers are targeted in
phishing scams, do i benefit more from hashcash or signatures? i can
protect myself much better if a PKI allowed customers to quickly
identify if an email is *really* from me... domain-keys and SPF will
both help with the problem of forgeries.
hashcash is an introducer. Opportunistic signatures allow for efficient
distribution of mail to people who agreed to know each other
(individuals and mailing lists). you can never really know if e-mail is
"really" from you. They're too many ways for the identity process to be
corrupted even if you meet the person face-to-face with appropriate
documentation. You have no of knowing it's truly accurate. You need to
understand where false information can be injected into the system and
if you can corrupt human processes long before you ever go digital, then
there is no hope. All you can do is trust people based on repeated
exposure.
A friend of mine once shared with me a Brazilian saying which is that
you never know anyone until you have eaten a bag of salt with them.
It's an obvious metaphor for long-term exposure to another party in a
variety of settings so you get to know them. Soviets knew this quite
well as during the Cold War they would plant people in various
countries, let them establish 20 or 30 years worth of history before
calling them into action. So, as long ramble is basically to say,
digital signatures aren't worth squat which is why they're useful for
this particular purpose of spam resistance.
mind you, if we use the Russian dolls model of encryption (weak
outside, strong inside) then it wouldn't matter so much because if you
truly wanted to protect your contents, you would protect your contents
explicitly. I'm mostly thinking about envelope level protection.
============
SMTP-TLS seems to do that, for now... far from perfect, but better than
nothing. of course, if my email is a secret, i still use pgp.
SMTP TLS only protects you when it's in transit. Not on the mail
spools. Now granted depending on where you put this engine, you'll end
up with similar exposure but if it's end to end, you'll have protection
end to end.
---eric
Other related posts: