Government subsidies: our last, best hope for Cryptanarchy?
You may be asking yourself: where, oh where, has all the crypto gone? Where are the BlackNet's? Where is the untraceable Ecash? Where is the Cryptanarchy that we've been waiting for? For that matter...where is the crypto? The staunchest Cypherpunk will by now have noticed that PGP/GPG usage even amongst list members, once the bellwether indicator of Cypherpunks crypto adoption success, is in decline. NAI has pulled PGP off the shelves. Conspiracy theories as to what may have been driving this business decision abound. The fact of the matter is that the usage of PGP by businesses, the sole significant source of NAI PGP revenue, had long passed its peek. How many business do you know that rolled out PGP in the last year? How many do you know that quietly stopped using PGP after formally adopting its use with big fanfare a few years ago? The facts are that there are more of the latter than of the former. Did NAI receive The Briefing? I don't know. Nor does it really matter. There wasn't enough money to be made with PGP. A well-respected Cypherpunk recently expressed hope that if NAI's PGP were to disappear for good, perhaps compatibility problems amongst versions of PGP would diminish. A plausible sounding theory, if one were to assume that the compatibility problems amongst versions of PGP are between versions produced by different vendors. Presumably, the theory would go, with only one major supplier left standing, that being GPG (yes, I am aware there are others), interop problems with other vendors' implementations would pretty much disappear by definition. However, a closer inspection of the PGP interoperability problems, which have been at one of the issues coming up in just about every single discussion I've had with anybody about PGP over the last year, shows that the interop problems are not between current versions by multiple vendors, but between versions, in some cases by the same vendor, that were released over time. The current version of NAI-PGP will interoperate just fine with the current version of GPG. So why is PGP interoperability such a frequently raised issue? And why does the importance of this topic seem to diminish the further away you stray from Cypherpunks into the realms of the casual PGP users? The answer to the second question is straight-forward. Even the most casual user of software tends to be familiar with and acceptant of the need for occasional software upgrades. It appears that those that are experiencing interop problems are those that are insisting on using up to 5-year old versions of PGP. It is true and should come as no surprise that those 5-year old versions do indeed have interop problems with newer versions of PGP. Some may say: I shouldn't need to keep on upgrading my software to be able to send encrypted email. Does anybody seriously believe that those that insist on using 5-year old versions of PGP have not upgraded their operating systems in those 5 years? Indeed, upgraded more their operating systems more than once? Or does anybody seriously believe that those that insist on using old versions of PGP still run the exact same version of their MUA and text editor as they did 5 years ago? Of course they don't. If they did, their boxes would long have become unusable due to the warez traffic taking place on the machines as a result of the countless remote exploits discovered over these last 5 years. The reluctance to upgrade to a newer version of PGP does not appear to be driven by a refusal or inability to upgrade software in general. This reluctance to upgrade appears PGP specific. Why this is the case I do not know. (And don't greatly care. I am running the latest version of NAI PGP and I can make my copy talk to any version of PGP 2.x or higher). Now perhaps there may be the rare case of a PGP user that is still running PGP 2.x on the same DOS box, using the same mailer and the same text editor as they did 5 years ago. I don't know of any such users, but that doesn't mean no such users exists within the vastness of the Internet. What I do know is that those that I am aware of that are complaining about PGP version interoperability problems do not fall into the rare category of users who have not upgraded any software at all for the last 5 years. Since the existence of multiple PGP software providers has not been the cause of the interop problems experienced by some, reducing the number of PGP implementation providers should not be expected to have a significant impact on the number or severity of PGP interop problems experienced by the users. The same Cypherpunk expressed a hope that absent NAI's PGP, the German government group currently funding GPG might be more inclined to fund UI work for Windows. Perhaps they would. Assuming for a moment they will, would this lead to a better PGP Windows UI than NAI's PGP offered? NAI's PGP UI is pretty darn good. Looking at the sorry state of UI's currently offered for GPG, even with government funding, I suspect that it will be a long time indeed before we will see a GPG UI that will compare positively to the current NAI PGP UI. Of course Cypherpunks know that it is dangerous to base one's hope for the development of a Cypherpunk tools on funding by a government. Be that the US government or the German government. Strongly pro-crypto German governmental officials have been know for their propensity to stumble out of the windows of high story buildings. Warnings regarding the dangers that may lure in parking lots come to mind. Where has the crypto gone? The crypto has gone under the hood, away from the UI, to a place where the crypto will be of most use to the average user. Yes, for crypto to be secure against the active, well resourced, attacker, the crypto must at one point touch the user to permit the user to make a trust decision. But to secure communications from passive and/or less resourced attacker, crypto can be placed under the hood. I bet a good percentage of the readers of this list that still require to be engaged in a form of employment nowadays access their company network via some form of VPN. Up by orders of magnitude from a few years ago. More importantly, a good percentage of users that have never heard of this mailing list and will never hear of this mailing list are using strong crypto to access their company's information. The percentage of users utilizing strong crypto is increasing daily. Another major segment of Internet infrastructure in which strong crypto is rapidly becoming the default rather than the exception, at least amongst those running their own servers, is SMTP. The percentage of SMTP connections to my mail server that use TLS to encrypt SMTP has grown from around 30% a few months ago to well over 60% today. This increase in the use of STARTTLS on SMTP appears to parallel a loss of sendmail MTA market share in favor of postfix. It is just too darn easy to turn on support for STARTTLS during a migration to postfix, hence most sites performing such a migration appear to do so. (I am aware that sendmail and qmail support STARTTLS as well, but the increases in the use of STARTTLS that I am seeing at my SMTP server coincides with sites switching MTA's to postfix. I see a handful of qmail sites using TLS, representing a fraction of the postfix sites, and no sendmail site that I have noticed. Having once considered activating STARTTLS in sendmail myself, I vividly recall myself reading the instructions, bursting out laughing, followed by my researching competitive MTA's. Within a week I had switched to postfix. Wished I had done so years ago. All these hours that I wasted over those years... YMMV). An interesting side-effect of the increased adoption of MTA's and MUA's that support STARTTLS is that I now have a link that is secure against passive eavesdroppers to the majority of those with whom I regularly correspond in encrypted email. Is protection against only passive eavesdroppers good enough for me? No. Are we a heck of a lot further along than we were 5 years ago? I would argue that we are. Where has all the crypto gone? It has gone mainstream. Some of you may remember the discussions from years ago how we should try to find a way to make crypto cool and attractive for the average person. This afternoon, I installed the "Britney Spears SmartFlash Kit" on my Windows XP test box. For $29.95 plus shipping and handling, you too can own a Britney SmartFlash Kit, which includes a USB smartcard reader, a Gemplus smartcard (both the reader and card are graced with pictures of Britney), and a CD with Gemplus GemSafe smartcard crypto driver software (the click-wrap EULA reminds you that export to Cuba, Libya, and other naughty countries or those developing biological weapons is strictly prohibited. Sorry pop music fans located in Cuba or at the CDC). Once you installed the gear and inserted your one of 5 possible Britney Spears' smartcards (collect all 5), you will automatically be taken to a client-authenticated, 128-bit RC4 encrypted website that provides you with exclusive access to such exciting content as 45 second QuickTime clips of Britney purchasing chocolates and of course Fe's (Britney's most trusted advisor) indispensable advice column. A representative sample question follows. "Dear Fe: I'm 14 but my parents treat me like I am 10! They won't let me go out at night, and won't even let me bring a boy to the Homecoming dance. I'm in high school and want to do all the things that go along with that, but they won't let me! -- Trying to Grow Up, Americus, GA". I will spare you Fe's answer (get your own smartcard :), but I won't spare you this: if you wonder where crypto has gone, you need to look no further than Americus, GA. If the question posed to Fe leaves any doubt about the nouveau crypto users' demographics, a drop-down list inquiring about the user's age to participate in a contest (smartcard required) should help clarify matters. The age selections offered are: [2-6], [7-12], [13-15], [16-18], [over 18]. Do not worry should your parents disapprove of your choice of music. If you hear your parents walk up to your door, just yank the card out of the reader and your browser will close instantly. Crypto has gone as mainstream as can be. While crypto for crypt's sake may not have become cool to everybody, crypto has become a Must Have for your average 14 year-old high school freshman girl. Crypto has become ubiquitous. http://www.britneyspears.com/smartflashcard/index.php As to when we'll see BlackNet and untraceable Ecash, who knows. Here's hoping to 2005. [In the time it took me to write this post, another of the regular entries in my maillog has turned on STARTTLS, protecting the SMTP connection with EDH and 3DES]. --Lucky
You may be asking yourself: where, oh where, has all the crypto gone?
Presuming question, as the rest of the article. Crypto is there for all those who want to encrypt, accessible as it was five years ago. And stuff does get encrypted - the real crypto, P2P, not the bogus one between servers in boiler rooms. As for argument that OS upgrade game requires live crypto coders to keep up - that's also bogus. PGP 2.6.3i runs fine on the latest winshit. PGP 2.6.2 runs fine on latest macs. PGP 2.6.2 compiles under linux and freebsd today (unlike 6.* sources) And they are being used by those who need them. What, no shiny UI ? Tough shit. Use plaintext. And shiny UI *did not* make masses use 7.0.3, did it ? Actually, people have machines with 5-6-7 year old OSes ... because they work. Especially in end-user interface applications - text editors, mail clients, telnet/ssh/http, there is no need to upgrade at all. Virus claim is also bogus. That is, unless you you use microsoft stuff with 5 months average life span. You do ? I thought so. Face it, convenient crypto is an exercise in futility. Convenience is positioning end users where they are wanted - bent over, pants down, cleansed by the upgrade enema, ready to receive. ITAR classification was correct, after all. Crypto is arms. Successful crypto distribution and use patterns will follow those for arms. Guess when sheeple will start to use crypto. ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
* Lucky Green wrote:
Now perhaps there may be the rare case of a PGP user that is still running PGP 2.x on the same DOS box, using the same mailer and the same text editor as they did 5 years ago. I don't know of any such users, but that doesn't mean no such users exists within the vastness of the Internet.
Take me as an example. Not running DOS, but NeXTstep, Linux and HPUX (7.x). Newest Hardware running at home is from 1991. Newest hardware running at work (for me) is from 1996.
What I do know is that those that I am aware of that are complaining about PGP version interoperability problems do not fall into the rare category of users who have not upgraded any software at all for the last 5 years.
Ack.
It is strange that crypto was a lot more popular back when cryptography export was heavily controlled. Many people fought for their crypto rights, but cannot be bothered with encrypted e-mail. It is similar to securing the right to vote and then declining to do so. Lucky indicates that strong crypto has gone "under the hood" and is now "mainstream" and "ubiquitous". This is not true. There are countless e-mail and instant messages sent as plaintext across networks, through wireless, and over the Internet. Also "under-the-hood" is a risky place for crypto. It may be "patched" or "upgraded" right out of your system. Or perhaps "improved" to 40-bit for optimum performance. Stand alone cryptography is best. I enjoy sealing my personal letters in an envelope. I am uncomfortable entrusting that process to a third-party, or to the mailman. I am similarly uncomfortable entrusting e-mail encryption to an embedded system and cached authentication systems. Curt --- Lucky Green <shamrock@cypherpunks.to> wrote: You may be asking yourself: where, oh where, has all the crypto gone? Where are the BlackNet's? Where is the untraceable Ecash? Where is the Cryptanarchy that we've been waiting for? For that matter...where is the crypto? The staunchest Cypherpunk will by now have noticed that PGP/GPG usage even amongst list members, once the bellwether indicator of Cypherpunks crypto adoption success, is in decline. ...(segment elided) Where has the crypto gone? The crypto has gone under the hood, away from the UI, to a place where the crypto will be of most use to the average user. Yes, for crypto to be secure against the active, well resourced, attacker, the crypto must at one point touch the user to permit the user to make a trust decision. But to secure communications from passive and/or less resourced attacker, crypto can be placed under the hood. ...(segment elided) Where has all the crypto gone? It has gone mainstream. Some of you may remember the discussions from years ago how we should try to find a way to make crypto cool and attractive for the average person. ...(segment elided) Crypto has gone as mainstream as can be. While crypto for crypt's sake may not have become cool to everybody, crypto has become a Must Have for your average 14 year-old high school freshman girl. Crypto has become ubiquitous. ===== end Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
At 07:04 PM 5/26/02, you wrote:
Stand alone cryptography is best. I enjoy sealing my personal letters in an envelope. I am uncomfortable entrusting that process to a third-party, or to the mailman. I am similarly uncomfortable entrusting e-mail encryption to an embedded system and cached authentication systems.
And I prefer key generation when not online to a facility that may implement various operations like: "The "Internet X.509 Certificate Request Message Format" Internet-draft that defines certain functions between a Certificate Authority (such as VeriSign) and the user's machine that generates the key pair, including certain options for "Proof of Possession of Private Key" (POPOPrivKey) during the online session to generate keys and obtain an X.509 S/MIME certificate: "POPOPrivKey ::= CHOICE { thisMessage [0] BIT STRING, -- posession is proven in this message (which contains the private -- key itself (encrypted for the CA))" .. and .. "PKIArchiveOptions ::= CHOICE { encryptedPrivKey [0] EncryptedKey, -- the actual value of the private key keyGenParameters [1] KeyGenParameters, -- parameters which allow the private key to be re-generated archiveRemGenPrivKey [2] BOOLEAN } -- set to TRUE if sender wishes receiver to archive the private -- key of a key pair which the receiver generates in response to -- this request; set to FALSE if no archival is desired."
Curt Smith wrote:
It is strange that crypto was a lot more popular back when cryptography export was heavily controlled. Many people fought for their crypto rights, but cannot be bothered with encrypted e-mail. It is similar to securing the right to vote and then declining to do so.
Acts that are potentially slightly illegal and certainly considered naughty by some carry more appeal to many than acts that are unquestionably as above board as they are boring. Once the export regs changed and more advanced uses of cryptographic applications failed in the market place, crypto lost some of its sex appeal to its initial early-adopter rebel constituency.
Lucky indicates that strong crypto has gone "under the hood" and is now "mainstream" and "ubiquitous".
This is not true. There are countless e-mail and instant messages sent as plaintext across networks, through wireless, and over the Internet.
I believe our viewpoint coincide, rather than conflict. Crypto has gone under the hood, it is used by anybody accessing an https website, which nowadays is just about anybody with a web browser. Crypto is used by many corporate employee's accessing the corporate VPN. It is the rare Internet user, of which there are of course many more than there were Cypherpunks got started, that does not employ strong crypto in some fashion.
Also "under-the-hood" is a risky place for crypto. It may be "patched" or "upgraded" right out of your system. Or perhaps "improved" to 40-bit for optimum performance.
Agreed. Which is why I pointed out that the encryption taking place under-the-hood tends to be a reasonable defense against a passive or less-resourced attacker while being frequently unsuitable against the active, well-resourced attacker. Though I would contend that there are more of the former than there are of the latter, I too continue to utilize, as I pointed out, strong crypto that requires active user interaction permitting the trust decision to occur.
Stand alone cryptography is best. I enjoy sealing my personal letters in an envelope. I am uncomfortable entrusting that process to a third-party, or to the mailman. I am similarly uncomfortable entrusting e-mail encryption to an embedded system and cached authentication systems.
I indeed consider passive encryption methods alone to be typically insufficient for some of my personal security needs and am continuing to utilize encryption that requires me as the user to make that trust decision. But that does not mean that no security benefits are to be had from opportunistic encryption of Internet traffic. Example: the other day I sent an email to a friend that accidentally failed to PGP encrypt. The email did not contain truly critical information, but I certainly would have preferred for neither my friend's nor my ISP to have ready access to the cleartext of that email. Fortunately, we had encrypted SMTP connections end-to-end, thus protecting the contents of the email from the ISP's, albeit perhaps not from the NSA. Lastly, allow me to address the issue raised that many IM protocols in use today do not support crypto at this time. This is true, but I noticed that a good majority of the P2P efforts introduced at CODECON all included support for encryption as part of the protocol. The various developers had read Applied Cryptography, understood a sufficient part of it, and made provisions to design crypto into their protocols from the beginning rather than as an adjunct to be thought about later. While the details of the initial implementations were of varying quality, one project began by using Blowfish in ECB mode until the developer realized that he could see patterns in the ciphertext, but changing a protocol during alpha testing to use a secure mode of a block cipher given that the protocol already contains all the hooks for crypto, may be considerably easier than gluing crypto onto some of the existing IM system Given the rapid changes in the P2P space, just because some IM and P2P systems today fail to offer cryptographic protections should not be taken as an indicator that these protocol's successors will not offer transparent crypto as a default feature. One such project that I have been somewhat following is the Anonymous IRC project. While their design is far from perfect, it is one of many steps into the right direction. http://www.invisiblenet.net/ There are dozens of similar projects underway, all employing crypto, that may one day replace the prevalent IM clients as rapidly as Gnutella and later Kazaa and Morpheus replaced Napster. How does the increased use of strong crypto under-the-hood help Cypherpunks? The answer reminds me of the response another Cypherpunk gave to my posting statistics about the nature of the USENET traffic seen by a major node. I expressed surprise at these rather revealing statistics, musing that there had to be a lesson to be learned from the fact that the bulk of the data is generated in newsgroups that one would not initially consider mainstream. His response was illuminating: "Yes, the lesson is: just look at all that cover traffic". --Lucky
Agreed. Which is why I pointed out that the encryption taking place under-the-hood tends to be a reasonable defense against a passive or less-resourced attacker while being frequently unsuitable against the
Whoever taps SMTP/POP3 bitstreams is hardly less-resourced. The only adversary you need to worry about is the resourceful one.
decision. But that does not mean that no security benefits are to be had from opportunistic encryption of Internet traffic.
Any massive deployment of crypto is subvertible. I see no way around it - it's like microsoft windows' vulnerabilities. To be safe, crypto needs to be diverse, custom-made and manual. The brain cycles you spend when encrypting are the only real defense.
friend's nor my ISP to have ready access to the cleartext of that email. Fortunately, we had encrypted SMTP connections end-to-end, thus protecting the contents of the email from the ISP's, albeit perhaps not from the NSA.
Very few run their own SMTP. Your own SMTP on your own box is not much different from PGP eudora plug-in autoencrypting. But you cannot use this argument to preach benefits of under-the-hood crypto - when almost all internet mail traffic uses ISP-owned SMTP servers.
noticed that a good majority of the P2P efforts introduced at CODECON all included support for encryption as part of the protocol. The various
I predict that first attempt to apply this on the gnutella/morpheus/kazaa/napster scale will lead to clampdown. Which is the reason that no one did it. We don't want osama sending orders that way. ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
--
noticed that a good majority of the P2P efforts introduced at CODECON all included support for encryption as part of the protocol. The various
On 26 May 2002 at 19:24, Morlock Elloi wrote:
I predict that first attempt to apply this on the gnutella/morpheus/kazaa/napster scale will lead to clampdown. Which is the reason that no one did it. We don't want osama sending orders that way.
Osama Bin Laden can already send orders by PGP, or even S/MIME -- but fortunately he did not, perhaps for lack of comprehension. No one is cracking down on PGP or S/MIME. A few assholes floated some trial balloons, and spread some stories, but the Bush administration, while selling out to everyone else, blew that one off, perhaps figuring that if Bin Laden could not understand the issue, neither would the critics. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG JRE12TCQDYazxvzqIJSv7a+TSPn3wVDa/nJwgkr2 41luNgdnx0+kGF4wVVQyY+SpoJcWNsLOAIpXAgeiw
I agree that under-the-hood encryption is becoming more and more prevalent, and that it generally improves security. Also, the widespread use of encryption technology helps protect cryptorights in general as important to the public good. The fundamental problem with "under-the-hood" is that the user is not required to have any understanding of the process. Furthermore encryption technology is often also authentication technology. This includes transparently sending S/MIME documents (encrypted and/or signed) as a default without requiring additional user intervention. In many places this results in legally binding documents. Furthermore, anyone with access to a system can send legally binding e-mail documents on the user's behalf. Both legally-binding and authentication technology should not be completely transparent. Even "EULA's" require user-intervention. Digitally signed messages should require user-intervention. --- Lucky Green <shamrock@cypherpunks.to> wrote: ...
I indeed consider passive encryption methods alone to be typically insufficient for some of my personal security needs
and am continuing to utilize encryption that requires me as the user to make that trust decision. But that does not mean that no security benefits are to be had from opportunistic encryption of Internet traffic. ... How does the increased use of strong crypto under-the-hood help Cypherpunks? The answer reminds me of the response another Cypherpunk gave to my posting statistics about the nature of the USENET traffic seen by a major node. I expressed surprise at these rather revealing statistics, musing that there had to be a lesson to be learned from the fact that the bulk of the data is generated in newsgroups that one would not initially consider mainstream. His response was illuminating: "Yes, the lesson is: just look at all that cover traffic".
--Lucky
===== end Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
On Wed, 29 May 2002, Curt Smith wrote:
I agree that under-the-hood encryption is becoming more and more prevalent, and that it generally improves security. Also, the widespread use of encryption technology helps protect cryptorights in general as important to the public good.
This is kinda the opposite of...
Both legally-binding and authentication technology should not be completely transparent. Even "EULA's" require user-intervention. Digitally signed messages should require user-intervention.
this. Having it be "transparent" where the user doesn't need to know anything about how it works does not have to destroy the effectiveness of digital signatures or crypto. When people sign a document they don't know all the ramifications because few bother to read all of any document they sign - most of it won't apply as long as you keep your part of the bargin, so why bother? The same thing should be true of digital signatures. The user shouldn't have to know a thing, other than they've made a promise they better keep or all the bad clauses really do apply, and the proof of their signature will come to haunt them. The way the digital signature works does not matter to them, and it shouldn't need to. If digital crypto, signatures or e-cash are going to get into mass appeal, then their operations will be "magic" to the majority. And it all has to work, to 1 part in 10^8th or better, without user comprehension. It may well take "user intervention" to create a signature, but they shouldn't have to know what they are doing. Patience, persistence, truth, Dr. mike
Mike Rosing wrote:
If digital crypto, signatures or e-cash are going to get into mass appeal, then their operations will be "magic" to the majority. And it all has to work, to 1 part in 10^8th or better, without user comprehension.
It may well take "user intervention" to create a signature, but they shouldn't have to know what they are doing.
Agreed, the mechanics of a system are unimportant from a user's point of view, so long as it works and they can work it. What magic crypto should strive for, though, is an understanding in users of the effects its presence promotes, and the ramifications involved when it is lacking. SSL for commerce is readily in place without batting an eyelid these days. However, I'd be interested to know just how many users out there would enter their card details on an unprotected site, despite the unclosed padlocks and the alert boxes. Have security fears and paranoia been abated by widespread crypto to the point whereby users will happily transmit private data, whether encrypted or nay, just because they *perceive* the threat to now be minimal? Now that the media has grown tired of yet-another-credit-card-hack story? Pointers to any evidence/research into this much appreciated... ta. .g
I agree that the signer does not need to understand the mathematics or underlying technology for digital signatures to be viable. However, what good is an agreement when the parties do not know what the terms of the agreement are? A signature (digital or otherwise) generally indicates that the signer not only made an agreement, but also understood the agreement. A digital signatures must involve a conscious decision by the signer to keep their part of an agreement. I maintain that this requires user intervention to verify that the signer knew that they making an agreement - a "click of understanding" or pass phrase. Curt --- Mike Rosing <eresrch@eskimo.com> wrote: ...
Having it be "transparent" where the user doesn't need to know anything about how it works does not have to destroy the effectiveness of digital signatures or crypto. When people sign a document they don't know all the ramifications because
few bother to read all of any document they sign - most of it
won't apply as long as you keep your part of the bargin, so why bother?
The same thing should be true of digital signatures. The user shouldn't have to know a thing, other than they've made a promise they better keep or all the bad clauses really do apply, and the proof of their signature will come to haunt them. The way the digital signature works does not matter to them, and it shouldn't need to.
If digital crypto, signatures or e-cash are going to get into mass appeal, then their operations will be "magic" to the majority. And it all has to work, to 1 part in 10^8th or better, without user comprehension.
It may well take "user intervention" to create a signature, but they shouldn't have to know what they are doing.
Patience, persistence, truth, Dr. mike
===== end Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
On Wed, 29 May 2002, Curt Smith wrote:
A digital signatures must involve a conscious decision by the signer to keep their part of an agreement. I maintain that this requires user intervention to verify that the signer knew that they making an agreement - a "click of understanding" or pass phrase.
Yes of course - the point of signing something is a promise. The act of signing by pen is just being transformed into a different kind of act. I think typing a pass phrase is better than a click, but we'll see what the market develops. Graham, there are many university profs interested in security on the net, and the medical field is just starting to get into this in a big way. I'm not sure they are following consumers, but a web search on "medical crypto" may find you a lot of interesting tidbits. Patience, persistence, truth, Dr. mike
I ain't got that much schooling in these here matters, but it seems to me that in terms of the agreements, online agreements are pretty slacking when it comes to verifying that the end user actually read the document. Most agreements online take advantage of the fact that a user is going to skip reading the document and jump straight to the "Agree" button. If the end user insists on e-signing a document without having read it it is there perogative, but I think there should be a better system in place to insure that they either read it or that they did not read it but agree anyway. Something along the lines of timers (set to an average number of minutes it takes to read the average contract), a keyword in the document itself that forces the user to peruse the document to find the keyword, or at least force the user to type "Agree" rather than just click a button. But hey, realistically speaking, I doubt there is much enforcement going on regarding these online contracts. Do we want the Federale involved in how these contracts are designed or is the industry going to self police? CW -----Original Message----- From: owner-cypherpunks@ssz.com [mailto:owner-cypherpunks@ssz.com]On Behalf Of Curt Smith Sent: Wednesday, May 29, 2002 12:21 PM To: cypherpunks@lne.com Subject: CDR: Re: When encryption is also authentication... I agree that the signer does not need to understand the mathematics or underlying technology for digital signatures to be viable. However, what good is an agreement when the parties do not know what the terms of the agreement are? A signature (digital or otherwise) generally indicates that the signer not only made an agreement, but also understood the agreement. A digital signatures must involve a conscious decision by the signer to keep their part of an agreement. I maintain that this requires user intervention to verify that the signer knew that they making an agreement - a "click of understanding" or pass phrase. Curt --- Mike Rosing <eresrch@eskimo.com> wrote: ...
Having it be "transparent" where the user doesn't need to know anything about how it works does not have to destroy the effectiveness of digital signatures or crypto. When people sign a document they don't know all the ramifications because
few bother to read all of any document they sign - most of it
won't apply as long as you keep your part of the bargin, so why bother?
The same thing should be true of digital signatures. The user shouldn't have to know a thing, other than they've made a promise they better keep or all the bad clauses really do apply, and the proof of their signature will come to haunt them. The way the digital signature works does not matter to them, and it shouldn't need to.
If digital crypto, signatures or e-cash are going to get into mass appeal, then their operations will be "magic" to the majority. And it all has to work, to 1 part in 10^8th or better, without user comprehension.
It may well take "user intervention" to create a signature, but they shouldn't have to know what they are doing.
Patience, persistence, truth, Dr. mike
===== end Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
On Thu, 30 May 2002, cypherpunk_reader wrote:
If the end user insists on e-signing a document without having read it it is there perogative, but I think there should be a better system in place to insure that they either read it or that they did not read it but agree anyway.
I don't think so. If they are fool enough to sign a document without reading it, it's the same as using a pen to sign a contract without reading it. A fool is a fool, why try to protect them? It's pretty hopeless to try because fools are so clever! I don't have a problem with a signing system that requires the user to do something (like maybe even use a pda stylus and actually sign with their own handwriting), but *forcing* them to read a contract is just plain silly. When enough fools have been burned by a scam, the word will get out and the rest of the fools who don't read contracts might think about not signing. An e-signature can have the same weight in law as an ink one, and the same rules apply. A fool and their money are soon parted. Patience, persistence, truth, Dr. mike
Mike Rosing wrote:
On Thu, 30 May 2002, cypherpunk_reader wrote:
If the end user insists on e-signing a document without having read it it is there perogative, but I think there should be a better system in place to insure that they either read it or that they did not read it but agree anyway.
I don't think so. If they are fool enough to sign a document without reading it, it's the same as using a pen to sign a contract without reading it.
...
An e-signature can have the same weight in law as an ink one, and the same rules apply. A fool and their money are soon parted.
Here's my analysis of the current situation regarding electronic signatures in the United States. The following few paragraphs are the way things are as I see them, not necessarily how they should be. An e-signature in this situation would indicate assent to a contract. One of the key points to forming a valid contract is a meeting of minds between the parties. Another is authentication that the alleged contracting party was actually the person who agreed to the contract. Meeting of minds includes knowing, understanding, and agreeing to the terms of the putative contract. With paper contracts, even lengthy ones, knowledge and understanding are assumed if certain conventions are met, such as font size and emphasis of important terms, as well as opportunity to read the contract thoroughly. And the contracting party is assumed to be able to take the contract to a lawyer if he's uncertain about any part of it. Many electronic agreements fail on one or more of these points. These contracts are often very lengthy, the equivalent of several pages of printout, and are often viewed only through a very small window, and often have small or otherwise illegible fonts. In paper, this would be similar to a five-page contract being written out on post-its, with only one visible at a time. Many of the agreements cannot be printed out, which interferes with both reading and obtaining expert advice. The situation is made even worse by the mingling of technical jargon with the legal jargon; many software-related contracts are even less intellegible than other contracts. Meeting of minds is questionable under these circumstances. Authentication is similarly problematic. Ordinary contracts are commonly agreed to in person or with signatures. Electronic contracts are commonly agreed to with one or two mouse clicks. There is nothing to indicate that the "signer" was the person he alleged to be. Some laws (see below) attempt to make this irrelevant, essentially saying that if your computer agreed, you agreed, but this is unlikely to stand up in court on basic principles. I was unable to find any US case law (court cases which went to trial and verdict, and which were written up for publication) on this subject. Bear in mind that I no longer have access to Lexis or Westlaw, but google and such can usually find relevent cases. I suspect that there are no reported cases hinging on electronic signatures. This isn't surprising, because the oldest electronic signature law is less than six years old, and that's probably not enough time for a problem to have arisen, been litigated, been appealed, and been written up. The "e-sign" law of 2000 doesn't provide much help. It states simply that a contract may not be denied solely because it was electronically signed. Furthermore, it applies only to interstate and international contracts. (Though most electronic contracts for, eg, downloaded software will be interstate or international.) It doesn't provide standards or guidance for what makes a valid electronic contract. The Uniform Electronic Transactions Act (UETA) is a model law which about half of the states have enacted. Some, maybe most, of these states have modified UETA before passing it. It's not clear how this affects contracts in which only one party is in a UETA state. UETA says that an electronic record fulfills any requirements for a written contract document and that an electronic signature fulfills any requirement for a signature on the contract, and it outlines what constitutes an electronic record and an electronic signature. Interestingly, UETA states that an "agent", meaning a program, can fulfill the requirements for a signature, even without human participation. See http://www.ladas.com/BULLETINS/2002/0202Bulletin/USElectronicSignature.html for a decent summary, and http://www.uetaonline.com/ for more detail. Summary: Recent laws have attempted to make electronic contracting binding, but they have not addressed some of the fundamental principles of contract law. These fundamental principles are often stretched or broken in electronic contracting. There is no case law on electronic contracts. I suspect that a contested electronic contract would be easily voided. OK, that's the way I think it is, currently in the US. The way I think it _should_ be is much more caveat emptor, as Dr Mike and others have said, but the legislators and judges have neglected to ask for my input. -- Steve Furlong Computer Condottiere Have GNU, Will Travel Vote Idiotarian --- it's easier than thinking
At 01:52 PM 5/30/2002 -0400, Steve Furlong wrote:
Summary: Recent laws have attempted to make electronic contracting binding, but they have not addressed some of the fundamental principles of contract law. These fundamental principles are often stretched or broken in electronic contracting. There is no case law on electronic contracts. I suspect that a contested electronic contract would be easily voided.
Nope. Back to the books for you. Here's a three-letter hint about the enforceability of "electronic contracts" - EDI. Also, take a look at these Internet-related cases - _Caspi v. The Microsoft Network LLC_, 323 N.J. Super. 118, 732 A.2d 528 (N.J. Super. Ct. App. Div. 1999) (at <http://legal.web.aol.com/decisions/dlother/caspi.html>) _Hotmail Corp. v. Van$ Money Pie_, 1998 U.S. Dist. LEXIS 10729; 47 U.S.P.Q.2D 1020 (N.D. Cal. 1998) (No. C98-20064 JW) (at <http://eon.law.harvard.edu/property00/alternatives/hotmail.html>) _Groff v. America Online_ 1998 WL 307001 (R.I. Super. Ct. May 27, 1998) (at <http://legal.web.aol.com/decisions/dlother/groff.html>) _Specht v. Netscape_ 150 F. Supp. 2d 585 (S.D.N.Y 2001) (at <http://www.nysd.uscourts.gov/courtweb/pdf/D02NYSC/01-07482.PDF>) You might find _Law of the Internet_, Lexis Law Pub (2001) of interest. -- Greg Broiles -- gbroiles@parrhesia.com -- PGP 0x26E4488c or 0x94245961
On Thu, 30 May 2002, Steve Furlong wrote:
Summary: Recent laws have attempted to make electronic contracting binding, but they have not addressed some of the fundamental principles of contract law. These fundamental principles are often stretched or broken in electronic contracting. There is no case law on electronic contracts. I suspect that a contested electronic contract would be easily voided.
Thanks, that was very enlightening. The URL is good too - they mention that "An electronic signature is defined as being: an electronic sound, symbol or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record. " I would never have thought of making a sound as part of a signature! but for voice prints, it might be a good idea.
OK, that's the way I think it is, currently in the US. The way I think it _should_ be is much more caveat emptor, as Dr Mike and others have said, but the legislators and judges have neglected to ask for my input.
Yes, and even if we tried to give input nobody would listen to me :-) Most of the issues here are human interface, what is reasonable to expect for a valid contract. The only thing I've ever "signed" online is an order for parts via credit card, and so far it's never been a legal problem. But I see where there could be major problems if people aren't really damn careful, so I'll probably be a lot more careful than I thought I was before! Patience, persistence, truth, Dr. mike
Mike wrote:
Thanks, that was very enlightening. The URL is good too - they mention that "An electronic signature is defined as being:
an electronic sound, symbol or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record. "
I would never have thought of making a sound as part of a signature! but for voice prints, it might be a good idea.
IIRC, one of the reasons why sounds were included in the bill was to include the pressing of a telephone touch-tone key in the list of acts that can create a valid contract. --Lucky, "Press '1' to agree to transfer all your present liquid assets to me".
Having it be "transparent" where the user doesn't need to know anything about how it works does not have to destroy the effectiveness of digital signatures or crypto. When people sign a document they don't know all the ramifications because few bother to read all of any document they sign - most of it won't apply as long as you keep your part of the bargin, so why bother? Partially agreed - a user doesn't have to know *how* it works, but must have to take a positive step (eg, type in a password, answer "yes" to a "are you really sure you want to do this" message, that sort of thing) for it to be binding under most e-sig legislation. However, the law of contract assumes every dotted i and crossed t is read and fully understood to the full measure of the law. Enough people get caught out
Mike Rosing <eresrch@eskimo.com> wrote: this way each year (they find the contract they signed isn't what they negotiated but (eg) binds them to a full term of service (say, two years) when they wanted a three month trial... There is a balance to be had here. it should be impossible for a random user to walk up to their powered off pc, power it on, then sign a document. It should be extremely difficult for a random user to walk up to a pc that has been left logged on (but which hasn't been used to sign documents for five minutes or so) and sign a document; it should be easy for the user to sign a large number of documents in rapid succession, without having to type in a complex password every single time. If this involves remembering the password for a specified "idle" time, or using a smartcard to auth (rather than a manual password or in addition) that the user can remove when he takes a coffee break then fine - but whatever you do must almost certainly use no other hardware than is already fitted to the machine, so a usb dongle could be ok for a home user but a credit-card style smartcard almost certainly won't be (although if anyone knows a decent floppy-adaptor for smartcards, I would love to know about it)
I concur. The problem is that the most prevalent e-mail program (Outlook) requires no user intervention as a default when signing and/or encrypting a message with S/MIME. One can override the default to "High Security" (requiring password) only while the X.509 certificate is being installed. I also agree that alternative authorization mechanisms (or combination thereof) are entirely appropriate: smartcards, flashcards, biometric readers, magnetic strips, bar codes, etc. Different schemes will work provided the hardware is available and adequate authentication can be assured. Curt --- David Howe <DaveHowe@gmx.co.uk> wrote:
Partially agreed - a user doesn't have to know *how* it works, but must have to take a positive step (eg, type in a password, answer "yes" to a "are you really sure you want to do this" message, that sort of thing) for it to be binding under most e-sig legislation. However, the law of contract assumes every dotted i and crossed t is read and fully understood to the full measure of the law. Enough people get caught out this way each year (they find the contract they signed isn't what they negotiated but (eg) binds them to a full term of service (say, two years) when they wanted a three month trial... There is a balance to be had here. it should be impossible for a random user to walk up to their powered off pc, power it on, then sign a document. It should be extremely difficult
for a random user to walk up to a pc that has been left logged on (but which hasn't been used to sign documents for five minutes or so) and sign a document; it should be easy for the user to sign a large number of documents in rapid succession, without having to type in a complex password every single time. If this involves remembering the password for a specified "idle" time, or using a smartcard to auth (rather than a manual password or in addition) that the user can remove when he takes a coffee break then fine - but whatever you do must almost certainly use no other hardware than is already fitted to the machine, so a usb dongle could be ok for a home user but a credit-card style smartcard almost certainly won't be (although if anyone knows a decent floppy-adaptor for smartcards, I would love to know about it)
===== Curt end eof . Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
Hey, most of your points about crypto going under the hood are well taken. I wanted to echo Peter Gutmann's comments about PGP, and add that I see PGP as a protocol, and most of the protocols I use daily (TCP, IP, UDP, DNS, HTTP, SMTP) have not changed in the last 10 years and I don't need to upgrade my software to deal with them. Looking at PGP as a protocol gives you a different perspective. (I also see .doc, .xls and .ppt as protocols, and bad ones) Adam On Fri, May 24, 2002 at 01:44:53AM -0700, Lucky Green wrote: | You may be asking yourself: where, oh where, has all the crypto gone? | Where are the BlackNet's? Where is the untraceable Ecash? Where is the | Cryptanarchy that we've been waiting for? For that matter...where is the | crypto? | | The staunchest Cypherpunk will by now have noticed that PGP/GPG usage | even amongst list members, once the bellwether indicator of Cypherpunks | crypto adoption success, is in decline. | | NAI has pulled PGP off the shelves. Conspiracy theories as to what may | have been driving this business decision abound. The fact of the matter | is that the usage of PGP by businesses, the sole significant source of | NAI PGP revenue, had long passed its peek. How many business do you know | that rolled out PGP in the last year? How many do you know that quietly | stopped using PGP after formally adopting its use with big fanfare a few | years ago? The facts are that there are more of the latter than of the | former. Did NAI receive The Briefing? I don't know. Nor does it really | matter. There wasn't enough money to be made with PGP. | | A well-respected Cypherpunk recently expressed hope that if NAI's PGP | were to disappear for good, perhaps compatibility problems amongst | versions of PGP would diminish. A plausible sounding theory, if one were | to assume that the compatibility problems amongst versions of PGP are | between versions produced by different vendors. Presumably, the theory | would go, with only one major supplier left standing, that being GPG | (yes, I am aware there are others), interop problems with other vendors' | implementations would pretty much disappear by definition. | | However, a closer inspection of the PGP interoperability problems, which | have been at one of the issues coming up in just about every single | discussion I've had with anybody about PGP over the last year, shows | that the interop problems are not between current versions by multiple | vendors, but between versions, in some cases by the same vendor, that | were released over time. The current version of NAI-PGP will | interoperate just fine with the current version of GPG. | | So why is PGP interoperability such a frequently raised issue? And why | does the importance of this topic seem to diminish the further away you | stray from Cypherpunks into the realms of the casual PGP users? The | answer to the second question is straight-forward. Even the most casual | user of software tends to be familiar with and acceptant of the need for | occasional software upgrades. It appears that those that are | experiencing interop problems are those that are insisting on using up | to 5-year old versions of PGP. It is true and should come as no surprise | that those 5-year old versions do indeed have interop problems with | newer versions of PGP. | | Some may say: I shouldn't need to keep on upgrading my software to be | able to send encrypted email. Does anybody seriously believe that those | that insist on using 5-year old versions of PGP have not upgraded their | operating systems in those 5 years? Indeed, upgraded more their | operating systems more than once? Or does anybody seriously believe that | those that insist on using old versions of PGP still run the exact same | version of their MUA and text editor as they did 5 years ago? Of course | they don't. If they did, their boxes would long have become unusable due | to the warez traffic taking place on the machines as a result of the | countless remote exploits discovered over these last 5 years. | | The reluctance to upgrade to a newer version of PGP does not appear to | be driven by a refusal or inability to upgrade software in general. This | reluctance to upgrade appears PGP specific. Why this is the case I do | not know. (And don't greatly care. I am running the latest version of | NAI PGP and I can make my copy talk to any version of PGP 2.x or | higher). | | Now perhaps there may be the rare case of a PGP user that is still | running PGP 2.x on the same DOS box, using the same mailer and the same | text editor as they did 5 years ago. I don't know of any such users, but | that doesn't mean no such users exists within the vastness of the | Internet. What I do know is that those that I am aware of that are | complaining about PGP version interoperability problems do not fall into | the rare category of users who have not upgraded any software at all for | the last 5 years. | | Since the existence of multiple PGP software providers has not been the | cause of the interop problems experienced by some, reducing the number | of PGP implementation providers should not be expected to have a | significant impact on the number or severity of PGP interop problems | experienced by the users. | | The same Cypherpunk expressed a hope that absent NAI's PGP, the German | government group currently funding GPG might be more inclined to fund UI | work for Windows. Perhaps they would. Assuming for a moment they will, | would this lead to a better PGP Windows UI than NAI's PGP offered? NAI's | PGP UI is pretty darn good. Looking at the sorry state of UI's currently | offered for GPG, even with government funding, I suspect that it will be | a long time indeed before we will see a GPG UI that will compare | positively to the current NAI PGP UI. Of course Cypherpunks know that it | is dangerous to base one's hope for the development of a Cypherpunk | tools on funding by a government. Be that the US government or the | German government. Strongly pro-crypto German governmental officials | have been know for their propensity to stumble out of the windows of | high story buildings. Warnings regarding the dangers that may lure in | parking lots come to mind. | | Where has the crypto gone? The crypto has gone under the hood, away from | the UI, to a place where the crypto will be of most use to the average | user. Yes, for crypto to be secure against the active, well resourced, | attacker, the crypto must at one point touch the user to permit the user | to make a trust decision. But to secure communications from passive | and/or less resourced attacker, crypto can be placed under the hood. | | I bet a good percentage of the readers of this list that still require | to be engaged in a form of employment nowadays access their company | network via some form of VPN. Up by orders of magnitude from a few years | ago. More importantly, a good percentage of users that have never heard | of this mailing list and will never hear of this mailing list are using | strong crypto to access their company's information. The percentage of | users utilizing strong crypto is increasing daily. | | Another major segment of Internet infrastructure in which strong crypto | is rapidly becoming the default rather than the exception, at least | amongst those running their own servers, is SMTP. The percentage of SMTP | connections to my mail server that use TLS to encrypt SMTP has grown | from around 30% a few months ago to well over 60% today. This increase | in the use of STARTTLS on SMTP appears to parallel a loss of sendmail | MTA market share in favor of postfix. It is just too darn easy to turn | on support for STARTTLS during a migration to postfix, hence most sites | performing such a migration appear to do so. | | (I am aware that sendmail and qmail support STARTTLS as well, but the | increases in the use of STARTTLS that I am seeing at my SMTP server | coincides with sites switching MTA's to postfix. I see a handful of | qmail sites using TLS, representing a fraction of the postfix sites, and | no sendmail site that I have noticed. Having once considered activating | STARTTLS in sendmail myself, I vividly recall myself reading the | instructions, bursting out laughing, followed by my researching | competitive MTA's. Within a week I had switched to postfix. Wished I had | done so years ago. All these hours that I wasted over those years... | YMMV). | | An interesting side-effect of the increased adoption of MTA's and MUA's | that support STARTTLS is that I now have a link that is secure against | passive eavesdroppers to the majority of those with whom I regularly | correspond in encrypted email. Is protection against only passive | eavesdroppers good enough for me? No. Are we a heck of a lot further | along than we were 5 years ago? I would argue that we are. | | Where has all the crypto gone? It has gone mainstream. Some of you may | remember the discussions from years ago how we should try to find a way | to make crypto cool and attractive for the average person. | | This afternoon, I installed the "Britney Spears SmartFlash Kit" on my | Windows XP test box. For $29.95 plus shipping and handling, you too can | own a Britney SmartFlash Kit, which includes a USB smartcard reader, a | Gemplus smartcard (both the reader and card are graced with pictures of | Britney), and a CD with Gemplus GemSafe smartcard crypto driver software | (the click-wrap EULA reminds you that export to Cuba, Libya, and other | naughty countries or those developing biological weapons is strictly | prohibited. Sorry pop music fans located in Cuba or at the CDC). | | Once you installed the gear and inserted your one of 5 possible Britney | Spears' smartcards (collect all 5), you will automatically be taken to a | client-authenticated, 128-bit RC4 encrypted website that provides you | with exclusive access to such exciting content as 45 second QuickTime | clips of Britney purchasing chocolates and of course Fe's (Britney's | most trusted advisor) indispensable advice column. A representative | sample question follows. | | "Dear Fe: | I'm 14 but my parents treat me like I am 10! They won't let me go out at | night, and won't even let me bring a boy to the Homecoming dance. I'm in | high school and want to do all the things that go along with that, but | they won't let me! -- Trying to Grow Up, Americus, GA". | | I will spare you Fe's answer (get your own smartcard :), but I won't | spare you this: if you wonder where crypto has gone, you need to look no | further than Americus, GA. If the question posed to Fe leaves any doubt | about the nouveau crypto users' demographics, a drop-down list inquiring | about the user's age to participate in a contest (smartcard required) | should help clarify matters. The age selections offered are: [2-6], | [7-12], [13-15], [16-18], [over 18]. Do not worry should your parents | disapprove of your choice of music. If you hear your parents walk up to | your door, just yank the card out of the reader and your browser will | close instantly. | | Crypto has gone as mainstream as can be. While crypto for crypt's sake | may not have become cool to everybody, crypto has become a Must Have for | your average 14 year-old high school freshman girl. Crypto has become | ubiquitous. | | http://www.britneyspears.com/smartflashcard/index.php | | As to when we'll see BlackNet and untraceable Ecash, who knows. Here's | hoping to 2005. | | [In the time it took me to write this post, another of the regular | entries in my maillog has turned on STARTTLS, protecting the SMTP | connection with EDH and 3DES]. | | --Lucky | -- "It is seldom that liberty of any kind is lost all at once." -Hume
participants (13)
-
Adam Shostack -
Curt Smith -
cypherpunk_reader -
David Howe -
Ed Stone -
Graham Lally -
Greg Broiles -
jamesd@echeque.com -
Lucky Green -
lutz@iks-jena.de -
Mike Rosing -
Morlock Elloi -
Steve Furlong