I think we knew that, but the particular problem posited here is that Alice's sig can be associated with a record she never saw, an acute symptom, not a chronic one, I'd hope. But I have asked for education in that regard, and hope it's forthcoming. MacN On Wed, 15 Nov 2000, Jim Choate wrote:

On Wed, 15 Nov 2000, R. A. Hettinga forwarded from a 3rd party:

...

...

When the same judge sees a digital signature, he doesn't know anything about Alice's intentions. He doesn't know if Alice agreed to the document, or even if she ever saw it.

It's nice to see somebody else recognize the fundamental flaw with PKC is the god-damned key management.

____________________________________________________________________

He is able who thinks he is able.

Buddha

The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- --------------------------------------------------------------------

Jim Choate wrote:

On Wed, 15 Nov 2000, R. A. Hettinga forwarded from a 3rd party:

...

...

When the same judge sees a digital signature, he doesn't know anything about Alice's intentions. He doesn't know if Alice agreed to the document, or even if she ever saw it.

It's nice to see somebody else recognize the fundamental flaw with PKC is the god-damned key management.

You didn't even read the posting did you? That isn't what he said at all. He said that the problem with ALL use of computers (which for this purpose include mobile phones, car locks, smart-cards, ATMs etc. etc.) for authentication is the binding between the person & the system that does the authentication. It doesn't matter a dam whether you use PKC, DES or the Great Seal of the Holy Roman Empire. If the equipment isn't tamper-proof, or if the signer doesn't understand how the process works or if the software isn't provably valid, there can be a problem. Ken

On Wed, 15 Nov 2000, Mac Norton wrote:

INteresting, but seems to assume that Alice entered her key without seeing the relevant record, or that same was substituted after key entry. Plausible? yes. Practical? help. Easy? help, please.

Actualy there is a whole host of issues with key management in regards PKC and scaling to really usable system sizes. As Bruce points out, a major one is the identity authentication. And you can't use a levels of indirection (i.e. a key to certify a key add infinitum). Another is scaling, the problem with PGP is it's too hard to manage large (i.e. 100's of Millions of keys) at the individual level. Yet any usable systems must do just that. What organization resolves protocols and who decides whom the primary implimentor will be? Consider the code base validation issue? Compare closed and open source approaches, they each have some interesting problems. My personal opinion is the only workable system is a 3-party with the 3rd party acting as arbiter/notary. It is also just as clear that that group can't be either a government agency or a profit making business. I also believe that an OS along the Plan 9 lines is the ideal Internet framework. The Austin Cypherpunks ran an anonymous remailer for about a year and we discussed some of the issues we found on the cypherpunks list. You might look back at the archives from about 2-3 years ago. The machine was called kourier.ssz.com (it's long dead). There were also some legal liability issues that our meager legal skills simply didn't resolve, and we didn't have the money to do it professionaly. ____________________________________________________________________ He is able who thinks he is able. Buddha The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- --------------------------------------------------------------------

At 1:12 AM -0500 on 11/16/00, Declan McCullagh wrote:

Bruce's article is well-written, but it covers ground already well-trodden by others.

Certainly. Carl Ellison, Perry Metzger, and even law professors like Jane Kauffman Wynn, have been saying this stuff for years.

Moreover, most, if not all, of his points apply to data-scrambling encryption applications on the same computer.

Yup. But, frankly, you don't want to do commerce, especially finance, on a platform you don't have absolute control over, anyway. As Chaum and others point out, you want your own box, with its own I/O, and so on. Fortunately, falling hardware prices and miniaturization continue to accelerate apace.

Still, maybe it'll raise the visibility of this problem.

And that's why I'm passing this around. Bruce succeeds where others fail, by the way, because takes complicated crypto stuff like this and reduces it to plain English better than just about anybody out there at the moment. Cheers, RAH -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

On Thu, 16 Nov 2000, John Young wrote:

Still, is there no alternative to giving government and corporations first, if not exclusive, choice on the best products and services,

Not if you plan to make a legal profit, there isn't. After all, government and corporations are the people with the money.

Now, none of this applies to Bruce's evolving computer security body of work, which is most impressive. It's just not clear what will evolve as Counterpane takes more of his time and effort.

Which mostly consists of pointing out flaws and problems with things other than the encryption/decryption algorithms in use: Bits of it are definitely worth a read between auditing routines in your code. (oh yeah, I have 64 bits of key in this local variable, and I'm exiting the routine: better remember to write over them so whatever grabs the memory next can't read them.... and while I'm at it, I better declare that 'volatile' so the system can't swap it to disk...) This stuff is why you can't just plug libraries together and have a good crypto product; A 'math library' made for crypto has to do fundamental things to prevent other applications getting their hands on 'numbers' that a math library for general application does not have to do. Ditto a windowing or GUI system made for crypto, etc. All these slap-together GUI programs made with MFC etc that we're seeing, are a completely wrong approach for cryptographic software; you can't make that stuff secure, you have to write your own. And this is what Schneier has been pointing out. And thank goodness somebody's been pointing it out.

Cybercrime begins with criminalizing digital information, that is, to regulate who gets access to private secrets, who runs the protection rackets: "don't trust your computer" is the next step after "don't trust the Internet." Confidence in both requires the assurance services of who? Ah yes, I see.

But for Homer Husband and Harriet Housewife, this is a valid point. We can download source, audit it, compile it, and then audit the crucial bits of binary to make sure nothing funny is going on with our compilers. We, as technogeeks and cryptogeeks, can set up our own trusted machines. But Homer and Harriet can't count to eleven without someone lending them a hand, and without training and dedication, there is no way in hell that they can hold enough stuff in their heads to set up a trusted machine on their own - thus "trust" will always be a leap of faith. However, even with a "machine trust" issue in the way, I don't see that digital signatures are *less* secure than the types of signatures now accepted in court. After all, signature forgery on paper documents is not unknown or impossible either, and the "Digital signature act" earlier this year allows unencrypted (!) HTTP requests received via the internet to be held as signatures in court. There is a fundamental schism here between the "identity is meat" school of thought in which our legal system is based and the "identity is bits" school of thought manifested in digital signature protocols. But that's a more fundamental idea, and I want to address it in a different post. Bear

On Thu, Nov 16, 2000 at 08:56:12PM -0500, David Honig wrote:

Herr Bear's two paragraphs below are among of the most clear, concrete explanations of 'why security is hard/ crypto is insufficient' that I've read. Clear to a programmer, anyway.

But still, I think that the vast majority of users will end up trusting something, and the vast majority will be well secured. Most do not, for example, worry about black-bag jobs.

How many hardcore cpunks have reverse engineered the source to the security apps they actually use? PGPDisk *and* PGPfone *and* PGP version whatever? With time left over for SSL? And you do regular RF sweeps too? Do you work on your own brakes, too?

No, I don't do those things. I hire an accountant for my taxes, a lawyer for such affairs, a mechanic for my car, and so on. Modern society is build on trust relationships in a free market, combined with a division of labor. Crypto is subtle, true, but so is tax law, litigation, and modern automotive control systems. It is not in principle different from those areas, where money, property, and life is at stake, and we trust others to help us. -Declan

According to current law in all nations (as far as I know), identity is meat. One person has one identity, and the identity is persistent and lifelong. All law is based on this assumption. Emerging in this forum and elsewhere is a different assumption, which is that identity is bits. If an entity has Alice's key, then that entity is Alice. Alice's person may be a different person this time, but only if Alice's last person was stupid or careless. And in this case Alice is probably better off with a different person anyway. Your dealings with Alice are still bound by the same guarantees of trust that you've always had with Alice: the laws of mathematics and the steps of the protocols. Alice's reputation and interests are likely to have changed with the change in person, but that's okay. Under the former assumption (Identity as meat) Alice transferring fortune and property to her son meant a change in the identity of the owner, and it was significant. Under the latter assumption (identity as bits) if she wants her son to now be the owner of all her stuff, she just hands her son the Alice keys and as far as anyone else is concerned nothing has changed. Alice is still the owner of the property, it's just that Alice now has a different person. Digital personas can be shared among several people, or handed off from one person to the other, without losing their integrity. This is one of their desirable properties. They can also be stolen, but so can most things of value. If your digital persona is the owner of several tons of gold in the form of digital bearer notes, and somebody else steals your digital persona, guess what? The ownership of those digital bearer notes has not changed. They are still owned by the same entity. You're just not that entity's physical person anymore. So if it is important to you that your identity remains "yours", guard your keys and audit your software, because on the net, identity is bits. If you want to impose an "identity is meat" assumption, you will have to pursue it in the meat world, where that assumption is valid -- thereby abandoning any hope of retaining the benefits of the net environment, such as anonymity or privacy. Bear

At 11:14 AM -0800 11/16/00, Ray Dillinger wrote:

According to current law in all nations (as far as I know), identity is meat. One person has one identity, and the identity is persistent and lifelong. All law is based on this assumption.

Not so fast. Corporations sign legally-binding contracts every day. Institutions enter into leases, contracts, agreements, and other legally-binding arrangements. And the issue of their "identity" is not a matter of _meat_. We don't absolve Boeing of contracts because the guy who signed a contract, or even the N guys, are dead. Q.E.D., signatures are more than just meat. And Boeing's _identity_, vis-a-vis things it signs, is more than just meat. Usually we say that Boeing's signing officers/authorities, those who enter the signatures on relevant documents, are authorized to do so by Boeing. There is much case law about all of this, I'm sure. (I've read anecdotal reports about how corporate mergers involve large teams of lawyers and officers of all parties signing a blizzard of documents, and in carefully controlled order so as to minimized chances for deadlock or fraud. A complicated protocol, one which crypto may _someday_ be part of.) A guy somewhere in Boeing who uses his PGP signature on some document is neither assumed automatically to be committing Boeing to some contract ("...it depends") nor would his death (the meat is gone) mean that Boeing is free to ignore some contract ("...it depends"). I'm obviously not a lawyer. Some here are. But this is still a specialty area. Moreover, this is very little relevant case law. Schneier's warnings are useful, but, as others have said, is obvious to nearly anyone. We on this list began talking about this issue in 1992. There will be much case law, much role for the crypto equivalient of "handwriting experts," as the years go by. And we can expect a spectrum of signing technologies and strengths. For example, the mundane auto-signing which someone may use for their e-mail is substantially less persuasive ("probative," I think the lawyers would say) than an ultra-high-security, backed-with-a-bond key which Boeing's Legal Department uses to digitally sign sensitive papers. I believe Greg Broiles is still working for Signet Assurance, www.sac.net, which is one company tackling parts of this problem. Whether they will be a dominant player is of course unknown to me. Anyway, lots of issues. But "meat" is one of the least important issues. --Tim May -- (This .sig file has not been significantly changed since 1992. As the election debacle unfolds, it is time to prepare a new one. Stay tuned.)

On Thu, 16 Nov 2000, Ray Dillinger wrote:

Emerging in this forum and elsewhere is a different assumption, which is that identity is bits.

No, it is a secure proxy protocol through bits that doesn't require physical (and usualy proximate) authentication. ____________________________________________________________________ He is able who thinks he is able. Buddha The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- --------------------------------------------------------------------

On Thu, Nov 16, 2000 at 09:40:01AM -0500, R. A. Hettinga wrote:

At 1:12 AM -0500 on 11/16/00, Declan McCullagh wrote:

...

Bruce's article is well-written, but it covers ground already well-trodden by others.

Certainly.

Carl Ellison, Perry Metzger, and even law professors like Jane Kauffman Wynn, have been saying this stuff for years.

...

Moreover, most, if not all, of his points apply to data-scrambling encryption applications on the same computer.

Yup.

But, frankly, you don't want to do commerce, especially finance, on a platform you don't have absolute control over, anyway. As Chaum and others point out, you want your own box, with its own I/O, and so on. Fortunately, falling hardware prices and miniaturization continue to accelerate apace.

What's interesting about this is that while everyone wants the added security from a device like this, no one wants to pay for it. I did a lot of the design for a secure smartcard keyboard that was produced a few years ago by a company called N*Able (bought last year by Wave Systems). It solved the problem of trusting the PC that you shove your smartcard into not to steal the PIN or sign something else or lie about what you're signing. Rather than having to trust MS (or linux) to protect your signing keys and what you're signing, you only had to trust our keyboard, which was designed from the beginning to be secure (while that's not perfect but it's a heck of a lot better than trusting MS, and good enough for commercial applications). However, in meeting with the US banking industry, we were told in so many words "this solves our security problems, we'd love to use it, but we want someone else to pay for deployment". The financial industry sees security problems not as something to be fixed, but as a cost to be borne. If the cost of the security breaks is less than the cost of the technology to fix it, or if the cost of security breaches can be passed on to someone else, there is no reason to put a security measure into place to fix the problem. I beleive that most financial systems in the US, operate on the second model (credit cards do by law- loss over $50 is eaten by the merchant or sometimes the issuing bank, to be passed back to consumers in higher prices). I think that the force that would distribute secure signing hardware in the US is profit- the hardware and the systems to support it would need to cost enough less than the fraud rate that there's a profit to be made off the difference. Unfortunately with this type of hardware, most of the cost is not in the hardware itself, but in the distribution, software and support. AMex seems to have discovered that with "blue"- there's no support for actual on-line payments. In fact the company that did the software, GlobeSET, recently folded. So now it's a regular credit card with a pretty gold-colored symbol on one side. The cost might have been worth paying for long-term customer acquisition, but it was a bust as far as fraud reduction and security is concerned. -- Eric Murray Consulting Security Architect SecureDesign LLC http://www.securedesignllc.com PGP keyid:E03F65E5

On Mon, Nov 20, 2000 at 10:45:38AM -0600, Jim Choate wrote:

On Fri, 17 Nov 2000, Peter Wayner wrote:

...

The law is very vague about the definition of signatures. It's simply a mark that is made with the intent of binding yourself to a contract. That means the old 'X' scratched on a piece of paper can still bind the illiterate. Mathematicians and computer security folks will probably recoil in horror about the circularity of the whole scheme, but that's the best the law could develop during the pen-and-ink years.

This is the reason for witnesses and notaries.

One person can easily lie about a signature. It's harder to arrange several (independent) agents to lie about it.

The 'x' mark usualy has to be witnessed to be legitimate.

Do you have a cite for that? Peter Wayner's summary is a lot closer to the case law I've seen. -- Greg Broiles gbroiles@netbox.com PO Box 897 Oakland CA 94604