Re: subjective names and MITM
This discussion can be divided into two separate situations. The first of which is exemplified perfectly by Hal: hfinney@shell.portal.com writes:
m5@dev.tivoli.com (Mike McNally) writes:
hfinney@shell.portal.com writes:
This situation with the MITM is actually about the same as if you were communicating insecurely in the first place. You are exposed to all of the same risks.
The only way to achieve the level of security offered by physical face to face communication with a person is to have a physical face to face conversation at some point. If you only ever communicate via electronic means, you are always subject to the risk of dealing with a synthetic entity. (I think.)
I don't think so, or at least the risk can be minimized much more than in the model where we just say that we're communicating with keys, therefore a MITM is perfectly legitimate because it's just a matter of who holds the keys. Suppose I want to talk to PC Magazine columnist John Dvorak. Suppose I find a VeriSign certificate for his key, with his name and employment information. I've never met him. We've never had a face to face conversation. Yet I claim I can communicate with considerable security with Dvorak using this certificate, certainly more than if I just use any old key which is lying around with his name on it, one which may be owned by a MITM.
Here the wish is to communicate with a 'real' person. A person that actually exists and has an in-built reputation that is separate from his key. This is very much a real life situation and is very similar to the first time that you meet someone - it is very hard to know that someone is who they say that they are, few people ask for ID and even ID is possible to fake (an old key that is actually owned by a MITM). In this case the person is known (of) and not the key - therefore it makes sense to attempt to ensure that the link between the key and the person is a strong (trustworthy) as possible. However this is not the case in the second situation: I could say that know that I enjoy reading mail from some people on the list, that I agree with some people on the list or that some people on the list hold very strong opinions on certain subjects. However this would not be correct as I have not met anyone else on the list in person (we do not all live in the US). It would be more correct to say that I enjoy reading mail from some addresses on the list (etc.) - I have no real idea whether hfinney@shell.portal.com is Hal or actually Tim expressing different views. If I mail Hal therefore I am actually mailing the entity that sends mail to the list from that address and I would do so being pretty sure that I was communicating with the person who mails here - but I would have no idea whether he is actually male, female, blond, brunette etc apart from what I chose to believe from others. Now mail is far easier to fake/intercept than a digital signature/encryption - at least I hope so. Therefore if Hal where to sign all of his messages I could check the signatures with a public key obtained from anywhere at all and if they passed then I could be confident that the messages were all written by the entity with control of the secret part of the key - at least far more confident than I am at all of the mail from hfinney@shell.portal.com actually comes from there. So instead of me getting the idea that hfinney@shell.portal.com posts interesting messages I get the idea that the holder of the secret key posts interesting messages - I would probably still use the mail address as keys are less convenient with current mail readers but that is an implementation problem. Hals reputation is therefore transfered to they key - no matter where I got the key from. So if I send encrypted mail to the person with the private part of Hal's key I can be sure that it can only be read by the person who actually sent the messages pertaining to be from Hal. So the MITM problem is 'defined away' in the case where a reputation grows with a key but is still a major problem where you want to transfer a ready made reputation to a key (as in the first example). In effect the key becomes a pseudonym and you can be sure of communicating with the pseudonym safely but can not be sure of anything about the pseudonum that you have not experienced yourself without trusting someone else (VeriSign in the first example). Thus the problem is more reputation transfer than anything else. Jon C. Baber jbaber@mi.leeds.ac.uk http://www.chem.surrey.ac.uk:80/~ch02jb/
jbaber@mi.leeds.ac.uk writes (where I have taken the liberty of reformatting for 80 columns):
Now mail is far easier to fake/intercept than a digital signature/encryption - at least I hope so. Therefore if Hal where to sign all of his messages I could check the signatures with a public key obtained from anywhere at all and if they passed then I could be confident that the messages were all written by the entity with control of the secret part of the key - at least far more confident than I am at all of the mail from hfinney@shell.portal.com actually comes from there. So instead of me getting the idea that hfinney@shell.portal.com posts interesting messages I get the idea that the holder of the secret key posts interesting messages - I would probably still use the mail address as keys are less convenient with current mail readers but that is an implementation problem. Hals reputation is therefore transfered to they key - no matter where I got the key from. So if I send encrypted mail to the person with the private part of Hal's key I can be sure that it can only be read by the person who actually sent the messages pertaining to be from Hal.
Well, this is not necessarily the case. A MITM may be signing my messages for me, and then putting them back the way they were before I am allowed to see them. Granted, this would not be easy, and perhaps the difficulty of this would be great enough that you will feel comfortable using an unsigned key. But if it were accomplished, then your messages to me would actually be insecure. No matter how convinced you became of my sincerity and trustworthiness, actually our conversations would be overheard by a third party despite both of our efforts to the contrary. Our use of encryption would be rendered futile. Doesn't this bother you? Hal
-----BEGIN PGP SIGNED MESSAGE----- Hello Hal <hfinney@shell.portal.com> and cypherpunks@toad.com hfinney wrote (but didn't sign):
jbaber@mi.leeds.ac.uk writes (where I have taken the liberty of reformatting for 80 columns):
Now mail is far easier to fake/intercept than a digital signature/encryption - at least I hope so. Therefore if Hal where to ...
Well, this is not necessarily the case. A MITM may be signing my messages for me, and then putting them back the way they were before I am allowed to see them. Granted, this would not be easy, and perhaps ... futile. Doesn't this bother you?
The point is that what if there's a MIMT who is changing the signatures on the hfinney posts? What if originally they were signed "Alice" but then a MIMT went and substituted "Hal"? Then any reputation I attached to Hal should really go to Alice, no? And even when I get a certified key for Hal, I still can't really put the reputation onto it, since maybe the reputation really belongs to Alice. Doesn't this bother you? At least with digital signatures I can be certain that the same person always signed the messages (and that ri cannot repuditate them), even if I don't necessarily know who that person is. (I guess the issue becomes plagiarism rather than impersonation.) Hope that makes sense... Jiri - -- If you want an answer, please mail to <jirib@cs.monash.edu.au>. On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMIyOySxV6mvvBgf5AQFJUQP/Wf8wHYUw4JbE4PBxWbSX1nzgOA2EYYsn L2FuBjKuLXqAG+xRSdJe8ySgaqiPV1JWP16NX97x5YOkMH99DMH73DMmYntvmYy1 G6NdXxhejLQgv0vx0VmVCE171ACB4A+uNe3b6EAsbsKTvd3b5TOWDl9KFQ5wtqGf VK0o3j6S95U= =QdEN -----END PGP SIGNATURE-----
Jiri Baum <jirib@sweeney.cs.monash.edu.au> writes:
hfinney wrote (but didn't sign):
Well, this is not necessarily the case. A MITM may be signing my messages for me, and then putting them back the way they were before I am allowed to see them. Granted, this would not be easy, and perhaps ... futile. Doesn't this bother you?
The point is that what if there's a MIMT who is changing the signatures on the hfinney posts? What if originally they were signed "Alice" but then a MIMT went and substituted "Hal"?
Then any reputation I attached to Hal should really go to Alice, no? And even when I get a certified key for Hal, I still can't really put the reputation onto it, since maybe the reputation really belongs to Alice.
Doesn't this bother you?
Yes, this is a problem with the use of certificates to try to detect the MITM. As I wrote before, there is still a way in which certs can be useful. Your attack shows that you can't use true name certificates to confirm that there is no MITM in front of Alice. However, you can use them to detect a MITM who is interposing himself between you and the rest of the net. In other words, if I am Alice, I can use certificates to make sure that no MITM is behaving as above, altering my messages and signing them "Hal". What I do is to acquire a valid signature key via offline means, and use that to validate the keys of people I want to communicate with. I am then able to send them messages securely, and ask them to confirm that my keys and user name do match those which appear in messages I have posted. The MITM is not able to know the contents of these messages which I send, hence he can't stop me from finding out his existence.
At least with digital signatures I can be certain that the same person always signed the messages (and that ri cannot repuditate them), even if I don't necessarily know who that person is. (I guess the issue becomes plagiarism rather than impersonation.)
IMO by itself knowing that the same person signed every one of a set of messages is not that useful, since anyone can sign any message. Hal
participants (3)
-
Hal -
jbaber@mi.leeds.ac.uk -
Jiri Baum