At 2:48 AM -0700 10/12/97, Adam Back wrote:
Once you acknowledge that it is more secure to have short lived communication keys (which in my view it very clearly is), it should be ...
Just what are some of the issues with us getting D-H-type perfect forward secrecy with something like e-mail? I assume this must be possible, of course, as D-H is used in just these ways. (The Comsec 3DES phone I have does this, of course.) (To repeat what has already been said, forward secrecy means some of the important keys are not kept or stored, and so a subpoena at some future time to produce the keys used in a communication is pointless. Cf. Schneier for more.) First and foremost as a requirement would be the need for a back-and-forth communication, in a real-time or nearly real-time mode. This rules out conventional e-mail with its long a variable latencies for delivery. (Not to mention diverse clients and their inability to respond automatically!) But IRC, chat rooms, Internet telephony, etc., are all common. With latencies of ~seconds, or even less. I picture conventional e-mail being replaced, for this application, with this kind of system. Maybe D-H forward secrecy systems already exist.... Forward secrecy might be arrangable even with long-latency links...it seems to me. (Through a series of links, compute and store the D-H parameters, then use them with conventional e-mail for the "payload" message?) --Tim May The Feds have shown their hand: they want a ban on domestic cryptography ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^2,976,221 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."