Tim May <tcmay@got.net> writes:

Declan writes:

...

[...]all Rep. Solomon etc. have to do is wave around a shrinkwrapped copy of PGP and say: "I bought this for $19 at the Egghead shop at 21st and L." Details will be lost in the fearmongering.

Yep, they're already doing this. This was reported a week or so ago, somewhere here in Cypherpunks.

Another interesting thing was that the French picked up on it too -- very interesting for them because they are just switching from crypto-ban to mandatory GAK. I suspect if PGP Inc could get an export license they would buy in to it heavily. (Fabrice Planchon <fabrice@math.Princeton.EDU>, and Jean-Francois Avon kindly translated a French document on the web "pgp tows the line" or something like that I think was the consensus they arrived at on correct translation of the title of the document). The indirect other danger is that in going the CMR route, PGP Inc may be standards setters either through the OpenPGP standard, or outside of it (in a similar way to the way netscape extensions are supported by many vendors long before they are part of HTML 3.x or whatever). If CMR becomes the standard, this greatly simplifies the task of TIS, or TIS europe, or anyone else in building a much more GAK friendly product which can interoperate with OpenPGP. I think I saw a tis.com address on ietf-open-pgp discussions list and wouldn't be surprised if they are busy building TIS OpenPGP compliant GAKware right now. A second indirect danger is that by taking this approach PGP Inc damages itself by isolating itself from the large cypherpunk and pro-privacy community, and that an even less friendly crypto email standard wins by default. How much protection do we have in S/MIME vendors. We were relying on PGP Inc to set the pro-privacy, anti-GAK line, and then we all would have been behind them in pushing the OpenPGP standard ahead of other standards because of it's GAK resistance. As it is various cypherpunks are scrambling trying to keep the OpenPGP standard a CMR free-zone, at least as a temporary measure for this version of the standard. As to what PGP Inc were thinking, I'm not sure I understand what they were thinking ... Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`

Jonah Seiger <jseiger@cdt.org> writes:

While I suspect that new key recovery or CMR products may create some new traction for supporters of mandatory GAK, PGP 5.5 is not the first example of such a product (TIS has been marketing key recovery products for a while).

PGP has stated that their corporate user requirement is recovery of stored data. This can be easily be acheived by escrowing storage keys, or other stored data recovery methods. That includes sent and received email archives. CMR seems more functionally suited to wire-tapping or corporate snooping. PGP denies that this is a design decision. PGP states that they want to make a system which is hard for governments to abuse as the basis of mandatory GAK. If we accept those denials, the CMR design does not meet it's design well. It sends recovery information with the communication, which is both a bad security practice, and easy for government to abuse. Please read: http://www.dcs.ex.ac.uk/~aba/cdr/ for an example of a storage key recovery design for data recovery which is more resilient to government abuse.

More importantly though, the Blaze et al study (http://www.crypto.com/key_study) did not say that key recovery/key escrow systems can't be built. It said that such systems designed to meet law enforcement specifications (24/7 real time access, the infrastructure for key exchanges, and security considerations necessary for such a system to function) are beyond the scope of the field and would create significant vulnerabilities in the network.

This is an important distinction.

That study was talking about the design problems in centralised key escrow. PGP Inc's design means that these design problems are bypassed; the CMR design (if/when it gets abused by government to become a "GMR" design) means that the NSA can publish a GMR master key on their web page today, and that Clinton can pass the presidential decree tomorrow. Some have argued, that you _could_ build a similar system with pgp2.x using it's multiple recipients feature. I agree, you could. However that is no excuse to go and build such a system! It is much less dangerous to build CDR systems; much less dangerous to build systems which are able to recover only data stored on disk.

So far, Soloman, the FBI, nor other mandatory GAK supporters have said that PGP 5.5 or other key recovery products on the market today solve their so-called 'problems'. I don't really expect them to. They seem to want much much more.

All that they want is possible with pgp5.5, or will be with pgp6.0, and backwards compatibility is already in place in 5.5 (and perhaps 5.0, tho' this compatibility seems to be hard to get anyone to clarify). Another claim is that the CMR system is easy to by pass, and therefore it is privacy friendly. I'm not sure this argument amounts to much, because clipper was also easy to by pass. Unless you're using steganography, the government could detect the bypass, and then the GAK system becomes just another one of those laws that the die-hards break, but which can translate into 10 years jail time if you get caught, or if the government decides you need knocking down a peg or two. I would have thought if any one understood this, it would have been Phil Zimmermann, after his Federal investigation. Really, if you are familiar with the clipper design, PGP Inc's CMR is a very related design, it is almost exactly clipper implemented in software. The design allows for multiple "message recovery" keys, or it allows for one single centralised one (belonging to the NSA, if the NSA has their way). The Blaze et al report you are quoting just says that having a single central recovery key is an incredible security risk. It also says that managing many frequently changing recovery keys centrally is also complex. The NSA still seemed to think it worth the risk with the clipper design, because they figured they could keep the key recovery database locked up well enough to prevent another Ames selling it to the Russians, or whoever. PGP 5.5 is clipper written in software. Yes it can be bypassed, yes the software has privacy options which make the recovery option optional; it also has installation options to make it non-optional; by passing the non-optional version can be detected by a corporate or government snoop. Corporate snoops are yucky but they are much less ominous than government snoops. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`

William Geiger <whgiii@invweb.net> writes:

Adam Back <aba@dcs.ex.ac.uk> writes:

...

I think we'd be more interested to see an analysis piece of the political merits/demerits of the pgp5.5 CMR corporate message recovery technique than of _toilets_.

Where do you stand on the CMR argument? Or are you staying away from the hot potato :-)

Exactly who died and made you the guardian of Truth, Justice, and the Cypherpunk Way???

I just react to issues I think are important, or which seem interesting to me, same as anyone else. I happen to think this CMR issue is important. If you disagree, and think the CMR danger is over-rated, well speak up please! If you think I am a big mouth speak up too (as you have:-)

Sometimes I think you take yourself way too seriously Adam.

Well there is always a `d' key, or one of your nifty O/S2 spam filters. Also I would be interested in your personal views as a PGP compatible mail script implementor on how easy CDR is to implement (http://www.dcs.ex.ac.uk/~aba/cdr/) with your setup. Some people are objecting to the difficulty of implementing it. I think it is fairly easy. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`

Declan McCullagh <declan@well.com> writes:

...

More importantly though, the Blaze et al study (http://www.crypto.com/key_study) did not say that key recovery/key escrow systems can't be built.

In fact it said: "Building the secure infrastructure of the breathtaking scale and complexity that would be required for such a scheme is beyond the experience and current competency of the field." Sounds like "can't be built" to me.

They are right: it can't be built securely. But that's not what the NSA et al are saying, they are saying we can build it if you trust us not to divulge the keys. Clearly they can. Also clearly we don't trust them. The Ames syndrome dictates that sooner or later someone will sell the database or government master key. pgp5.5 or 6.0 when it comes out, are viable for such purposes. Quite similar to clipper: all you need is for the NSA to publish a public key, and for Clinton to pass a presidential decree that all companies using (the yet to be released) pgp6.0 should add that key to the list of CMR recipients. People sticking up for CMR (Lucky, Jon Callas, others) say: but you can by pass it. I say so what. You could by pass clipper too, it still didn't make it a good idea. You can be detected when you by pass it. With stiff penalties for companies or individuals for by passing, and the chance of detection, it sounds viable to me.

...

So far, Soloman, the FBI, nor other mandatory GAK supporters have said that PGP 5.5 or other key recovery products on the market today solve their so-called 'problems'. I don't really expect them to. They seem to want much much more.

I agree that PGP 5.5 doesn't meet the FBI's demand for realtime access.

Why do you think it doesn't meet their demand for real-time access? pgp5.5 supports multiple CMR fields attached to userids on the key. So in a company scenario, that would mean that before the presidential decree, the listed CMR key would be: snoopy@acme.com. After the presidential decree, they would have to list two extra crypto recipients: snoopy@acme.com, and thoughtpolice@nsa.gov. I think that pgp6.0 (or whatever it will be called) when it is released will allow keys to have multiple CMR key requests attached to userids. This will enable it for real. (pgp5.5 as far as I can understand only provides support in the GUI for adding one CMR key request per userid). pgp5.5 already supports multiple CMR key requests per userid in that it knows how to reply to them. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`

Declan McCullagh <declan@well.com> writes:

The relevance? Another example of Singapore's loony politics. Strict social controls and relative economic freedom. I find it fascinating in light of Net-filtering and other attempts at restricting information flow; if you don't, well, you can always delete it. :)

The net-filtering and social control aspects of Singapore are very interesting. Seems that somewhere like Singapore might be an earlier adopter of mandatory GAK -- social ills have hugely disproportionate treatment over there. I hear (and our Singaporean contributer confirms) that chewing gum is illegal, jay walking too. (Hey you have the jay walking laws in the US too don't you?) (I missed the social control aspect of the vote for kewlest public toilet story). We all suffer this kind of mind numbing stupidity on part of our governments to some extent. Outlawing of `rambo' knives, laws defining pi = 3, etc., etc.

[CMR topic:] My position is something along these lines: corporations have a right to go down the CMR path; it is unwise to restrict them through the coercive power of the state.

The question is really what _is_ the CMR path? PGP Inc are arguing that it is merely a recovery procedure to recover stored data in event of disaster (stored emails in mail folders, and files encrypted to yourself). However the design seems itself much more suited to message screening, or message snooping. I have yet to see any PGP Inc representative admit to the message screening design motivation. In fact they have fairly clearly denied this. Either you believe that, or you figure they are being careful not to admit to this. I don't know what to believe. The CDR approach (http://www.dcs.ex.ac.uk/~aba/cdr/) is more secure, less politically dangerous, and equally privacy respecting.

At the same time, we need to speak out against crypto-foolish practices. If corporations start building CMR products, the political consequences could be devestating. It's like building a gallows for your own hanging.

Yes, I think it is potentially dangerous.

...

From my perch in Washington, I see PGP 5.5/CMR as an existence proof that key recovery can be done. So far the crypto-advocates have been able to wave around the Blaze et al white paper that says we don't know how to do it. Even Dorothy Denning agreed. But now when a mandatory GAK bill goes to the House floor, all Rep. Solomon etc. have to do is wave around a shrinkwrapped copy of PGP and say: "I bought this for $19 at the Egghead shop at 21st and L." Details will be lost in the fearmongering.

This is one example of why CMR may be dangerous. Another is the danger that we have a couple of years of mass CMR enabled software deployed. Tim has been using the acronym GMR, which nicely says what a well deployed CMR software base can be converted to with an over night presidential decree. Lethal.

I suspect that there's not that substantial a market for CMR. The apparent market demand now is an artificial one created by the Clinton administration.

Again, what _is_ CMR? I do think companies if they are storing lots of data in encrypted form will want to assure themselves that they can get it back. Sort of like unix/windows NT passwords; if every time users forgot their password, you had to start over with an empty account, people would get annoyed. The problem is that pgp5.x is both an email encryption system and a file encryption system. So PGP Inc argue that they need the recovery features for files. Well OK, but for emails in transit? The way to treat emails in transit is to encrypt with recovery info after receipt, if the employee feels that particular email is worthy of saving for company records. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`

-----BEGIN PGP SIGNED MESSAGE----- In <199710231543.XAA02822@ganymede.contact.com.sg>, on 10/23/97 at 11:43 PM, Harish Pillay <harish@ganymede.contact.com.sg> said:

Hi. For the sake of sanity and completeness, the following has to be corrected.

...

Declan McCullagh <declan@well.com> writes:

...

The relevance? Another example of Singapore's loony politics. Strict social controls and relative economic freedom. I find it fascinating in light of Net-filtering and other attempts at restricting information flow; if you don't, well, you can always delete it. :)

The net-filtering and social control aspects of Singapore are very interesting. Seems that somewhere like Singapore might be an earlier adopter of mandatory GAK -- social ills have hugely disproportionate treatment over there. I hear (and our Singaporean contributer confirms) that chewing gum is illegal, jay walking too. (Hey you have the jay walking laws in the US too don't you?) (I missed the social control aspect of the vote for kewlest public toilet story).

Chewing gum per se is not illegal. I just cannot buy them from any store in Singapore. I can chew to my heart's content. I can go up north to Malaysia, buy a whole month's supply of gum (name your flavour) and bring it back into Singapore.

So, what is moronically illegal is that I cannot sell that pack of gum.

Signapore is a prime example of "mirco management" at it's worst. Whenever such management is attempted either in the public or private sector they fail. It should be intresting to see how long Singapore can keep it up. - -- - --------------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBNE+Ar49Co1n+aLhhAQFkGgP9EBgH35RfnpFLuWUnZnLESCeShTmAiOMG hClqCT7hKdjjqnfxAaPU5DlLKcTsgYlssMXiv8q0T2C+g7vooI+QAHvEowArY4Vo UxjaQgcsCF7gbVccJwTzBzaGBushiMJx1bUVsdFpWn/H/LfOaPbKSaBj4uFCV71q zOuU1jIqbZg= =2hOc -----END PGP SIGNATURE-----

At 11:38 AM -0700 10/22/97, Adam Back wrote:

This is one example of why CMR may be dangerous. Another is the danger that we have a couple of years of mass CMR enabled software deployed. Tim has been using the acronym GMR, which nicely says what a well deployed CMR software base can be converted to with an over night presidential decree. Lethal.

About "GMR," I use it only because it's a direct parallel to CMR, with "Government" replacing "Corporate." In fact, as others also suspect, I anticipate some countries will mandate the precise form CMR is taking in PGP 5.5, with a requirement that the corporate keys be given ("escrowed" in the older terminology) to government agencies. This would actually take very little in the way of additional regulation in many countries--the same departments of corporations which file various reports with the government would be compelled to provide keys. GMR is CMR with the government being one of the keyholders. And the users need not even be involved in this...all that is needed is an order, or finding, by the SEC, FTC, IRS, etc., that CMR keys be deposited with the government. (When the Justice Department was suing IBM and AT&T and demanding every scrap of paper they could get, including thousands of boxes of documents, wouldn't they have surely demanded the CMR keys, had they existed back then? Were Microsoft to be using CMR, don't you expect these keys will be demanded by Janet Reno? This, by the way, ought to be reason enough for MS to abandon its internal programs on message recovery. But I wouldn't be surprised if failure to adopt CMR is itself seen as part of a conspiracy to thwart government investigations...speculating wildly, this may be a reason many companies adopt CMR, and why many other companies eschew CMR.) In the U.S., there may be various challenges to the constitutionality of this. Certainly some organizations--hospitals, psychiatric facilities, newspapers, etc.--will have First and Fourth Amendment claims, e.g., protection of confidential sources, protection of medical privacy, etc.. Will XYZ Corporation have such protections? Unclear to me. (Recall the Jim Choate mantra that "only individuals have rights.") I don't mean for GMR to replace GAK, which has served us so well for several years (since being coined by Carl Ellison, of course). But the Newspeak everyone is using is "message recovery," with a disaster planning spin on it (however incorrectly), so maybe we should change with the times, too. "GMR" serves to deconstruct and monkeywrench the CMR term. --Tim May The Feds have shown their hand: they want a ban on domestic cryptography ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^2,976,221 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."

Kent Crispin <kent@bywater.songbird.com> writes:

Declan writes:

...

I agree that PGP 5.5 doesn't meet the FBI's demand for realtime access. But it can be used as a waving-around-on-the-House-floor prop to pass a law that requires mandatory key escrow.

They could wave around TIS's products (designed by noted cypherpunk Carl Ellison, I believe), or NorTel's Entrust, just as well. Hell, in a few months they may be able to wave around Adam Backs CDR product, which also facilitates GAK -- access to communications is worse than access to data, by some measure, but the LEA's will certainly be grateful to Adam for his legitimization of Key Escrow...

I think there is a large difference between storage key recovery and message key recovery. Also a difference between message key recovery and including information with the message allowing it to be recovered by fourth parties. Yes, governments would like to come take your disk, but they've got to come and get it first. And when they get there they may find you are not using GAKked keys on your disk encryption. They won't know until they try. With email GAK and recovery info with the email, they can tell from remote snooping if you are cheating. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`