-----BEGIN PGP SIGNED MESSAGE----- An entity known as "Tense Hot Alien in Barn" wrote:
This is exactly right. In fact, it isn't even just bad programmer decisions; some of the complexity is really inherently needed for security. PGP's notion of who you trust to certify keys, for example, confuses the heck out of naive users, who want to "trust" anyone they believe is a good person, not just people they believe are sophisticated enough to sign keys. It's really hard to explain to some people why they should say, "No, I don't trust Grandma."
What a lot of people don't seem to realize is that, in crypto software,
***********************************************************************
there is a fundamental tradeoff between usability and security. You can
simplify PGP (or similar software) to the point where it's easy to deal with key management, but it will then be far more susceptible to compromise.
I'm glad that you are willing to state this opinion, Nathaniel, and take the flack that you are taking. I think that as the goals of cypherpunkism (ewww... I just invented a new "ism"...) *really* pertain to the *use* of cryptography by large groups of people-- and not merely to the mathematical details of cryptography-- that this issue is going to become overwhelmingly important in the very near future. I challenge you, however, to go beyond pointing this problem out and start suggesting some approaches to alleviating it. With your experience in doing security for a successful Internet transaction system, I would hope that you have valuable insights which can benefit all of us. To get to the point, I want to know if this "fundamental tradeoff" that you refer to is in fact *fundamental*. That is to say: is the product of the "security factor" and the "usability factor" a constant? Or are there methods which can be practically implemented to make strong cryptography easier for Joe Average to use without exposing Joe to unnecessary risks? I'm sure in a trivial sense that there are some such methods. For example (to pick on everyone's favorite crypto-for-the-masses), if PGP v1 and v2 had come in a nice menu-oriented shell, or with a nice API, then a hell of a lot more people would be using PGP now, and without reducing its effectiveness as far as I can see. I'm sure that the PGP guys are aware of this problem, and I am looking forward (as I'm sure many of us are) to PGP v3 with much anticipation. But this kind of gooey "user friendliness" is not sufficient to make crypto *really* convenient to learn and to use, nor is it sufficient to make Joe Average's use of crypto really secure. (Note the extreme sparsity of the current PGP Web O Trust, and the oft-lamented weakness of Joe's passphrase.) I have made a clumsy first shot at envisioning the kind of strong, convenient crypto that could perhaps bring the capabilities that we talk about here to the masses. I submitted this article to cpunks last week entitled "My conception of the ideal encryption tool for the masses", and it was picked up Robert Hettinga and echoed to his e$pam list. Unfortunately I have not received a single response to this article either in personal mail or in public. Was my article so poorly written? Or are the cpunks failing to realize the importance of the usability/security issue? I sincerely hope that Nathaniel and others can make progress in addressing this issue. Ultimately it will be as important as any issue in cryptography. Regards, Bryce P.S. I just went and re-read "My conception of the ideal encryption tool for the masses" and I think I failed to make something clear. The crypto device that I envision is *not* just useful for buying a pack of cigarettes at the grocery store. I could imagine it being used for *every* user-authentication purpose. You sit down at a terminal, plug your pocket-crypto-box into it, and read your private e-mail. You walk into a secure building, pass your pocket-crypto-box in front of the infra-red IO device, and the door opens for you. You negotiate a million-cyber-credit deal, you plug your pocket-c'box into the Net, and sign the contract. Etc. etc. In short, for the vast majority of your crypto needs you depend *entirely* upon the pocket-c'box and not upon passphrases and floppy disks. P.P.S. I am aware that this makes a physical attack upon your c'box into one of the few remaining viable attacks. I recommend that everyone carries a handgun next to their pocket c'box. Deadman switches, good police forces and other physical security, etc. will also be important. Since this technology is empowering individuals, it is also increasing the value of loot than can be gained by robbing an individual. Alley-bash the right person and you might be able to steal a personal fortune. Another issue that we who seek a better future through technology need to address. P.P.P.S. I can see that there is a major problem with my idea regarding the IO between the pocket-c'box and the user. Perhaps the pocket-c'box will have to come with trusted IO hardware (screen, keyboard, pointer-device, audio, vox-recog... but I digress...). P.P.P.P.S. Also note that the pocket c'box should probably hold many of your pseudonyms (i.e., many of your pseudonyms' private keys) and your Chaumian pseudonym-exchangeable credentials. P.P.P.P.P.S. Remember those under-$600.00 netstations? Even if they don't pan out this year, they will soon. And then they will move into our pockets, and into our wristwatches, etc etc. The cypherpunks need to be ready to offer Joe a *secure* computer to put into his pocket, so that he is carrying new capabilities and renewed privacy in his pocket, rather than carrying a little chunk of Big Brother. signatures follow "To strive, to seek, to find and not to yield." -Tennyson <a href="http://www.c2.org/~bryce/Niche.html"> bryce@colorado.edu </a> -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMMyPLfWZSllhfG25AQHPRQP/fwhKqyUdOv2/t/YCc68GQrNMOhCT69KE PVE27Fp3CYnx+lGgzynnh1kr9DlH/bOOQRGf+fjqbPswr7PDHUoMaTAnBFr8gzf3 eXPd9moyixjNvHXacMpl0I5A/0tr6Lt2N/L5FUTyMf5zecMzbEbuKyiQE8pOYajx COKJyTTk794= =4spo -----END PGP SIGNATURE-----