At 7:03 PM 10/9/95, Hal wrote:

tcmay@got.net (Timothy C. May) writes:

...

For communication, the only credential Alice needs to ensure that only Bob can read her message is that she uses Bob's public key. If "Bob the Key" reads it, presumably it was "Bob the Person" who read it.

...

(Again, Bob the Key = Bob the Person to many of us. If Bob the Person has let his private key out, so that Chuck the Person is also able to read the Bob the Key stuff, etc., then of course cryptography cannot really handle this situtation.)

OK, but again, what about the man in the middle attack? Suppose the key that you found that claims to be from Bob is actually not his, but another one created by a man in the middle, such as Bob's malicious ISP? Then that ISP is decrypting the messages Alice sends to him using that fake key, and re-encrypting them using Bob's real key. He is reading all of the messages, and Alice and Bob do not in fact have communications privacy.

There are many, many people on the list that I know only from their posts and their public keys (not that I'm a heavy user of PGP as some of you are, though some of you I have dealt with via PGP messages). I don't know if "Carl Ellison the Key" is "really" the same Carl Ellison that Carl Ellison the Key claims to be...you see the semantic difficulties. What I know is that the Carl Ellison who sends me PGP message and who appears to be working at TIS is not publically disputing messages sent by an MITM attacker. (True, the MITM could be only targetting _me_, and so the "real" Carl Ellison could be unaware that the "fake" MITM Carl Ellison is masquerading as him.) But if I really care I can post a public channel (the CP list, for example) query, encrypted to the known public key (used in many past posts, for example) of "Carl Ellison the Key," asking if he sent the message to me. To put it bluntly, all I really care about is _persistent_ key-holding, i.e., that the person who began posting with a given key is still using the same key. Or, rather, I don't even care if the keyholder "Pr0duct Cypher" is actually a person, or a Bourbaki-style committee--I only care that messages purporting to be from Pr0duct Cypher or Black Unicorn or Carl Ellison are still using the same key. Who any of these entities "really" are is irrelevant to me. (I don't even know if Hal Finney, who I met once a few years ago, is the "real" Hal Finney, nor do I really care.)

I don't want to overstate the risk of this attack. It would not be an easy one to mount and I believe there are countermeasures which could detect it unless the MITM had nearly supernatural powers. But the MITM attack is normally considered seriously in discussing crypto protocols. It is a well known weakness in Diffie-Hellman, for example. That is why authenticated Diffie Hellman is used in some of the newly proposed key exchange protocols for IP. The risks of MITM attacks on public key systems was recognized not long after those systems were proposed. The problems with fake keys have been discussed for over a decade.

Why is this all suddenly irrelevant? Were these attacks never realistic? Is it just not a problem somehow? I am baffled by the fact that people are just turning their backs on all these years of research and experience. If this is some kind of paradigm shift in which the idea of communicating with keys is seen as the key to the puzzle, then I am afraid I don't share the enlightenment. To me the problem seems as real as ever.

Well, I'm not saying the work is unimportant. What I'm saying--and I think others are too--is that there is no crisis that calls for "certificate authorities" to provide "proof" that a keyholder is who he says he is. I'm happy continuing to trust that people are who I once they thought they were, by their signatures and their apparent ability to read messages encrypted to their public key. If in fact I am dealing with body-snatchers who actually infiltrated the identity of "Carl Ellison" and are able to act as him, so what? I never met the "real" Carl Ellison, so who cares if Carl Ellison the Key is really Carl Ellison the Biological Entity who Grew up in Foobar, Pennsylvania and Graduated from Bobby Ray Inman H.S. in 1975? That's all. If people want to work on credentials and similar certificate processes, that's great. But I'm saying I see no compelling need _for myself_ and will strongly argue against some of the reasoning we are hearing about why certificates need to be issued. (Because I have also read the Postal Service proposals that they get into the business of certification of e-mail in various ways, and because of the various other schemes being discussed which seem less than voluntary.) --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway."