why we are arguing for more resistant variants (Re: Is PGP still private?)

Adam Back aba at dcs.ex.ac.uk
Sun Oct 19 02:32:41 PDT 1997




Toto <toto at sk.sympatico.ca> writes:
> Kent Crispin wrote:
> > You keep talking as if your CDR proposal is other than vaporware.  So
> > far as I have seen you don't have a proposal, you have a wish.
> 
>   Given Adam's many accomplishments in the arena of CypherPunks issues,
> I find it hard to make a case for his discussion in this area to be
> mere mental masturbation.

Thanks for the vote of confidence Toto.

Also I must raise the point that it is not a lone stand.  Other people
are arguing against PGP Inc's CMR proposal, and are arguing for more
GAK resistant variants, and alternatives.  

Several amongst those who have so argued are higher reputation than
myself: Bruce Schneier, (plus some others with similar crypto
credentials I have asked for comments from off list which I can not
reveal due to ethics of email confidentiality).  I have some small
about of credibility myself I think also.

In addition I consider myself, Tim May, Peter Trei, Attila T Hun, and
the many others arguing for more resistant variants to have some
reputation, and it seems unlikely to me that we would all burn our
reputations over an insignifcant point.  We are collectively arguing
because (and I think the others will agree) we think that there are
more resistant variants than the CMR proposal used in pgp5.5.  These
variants are also practical within the constraints imposed by the
plug-in APIs, and user requirements PGP must work within, I believe.

Even Kent Crispin who seemed to dismiss the first round as an
insignificant difference, is offering more resistant variants.  PGP
Inc's Jon Callas together with cypherpunks Bill Stewart, Attila T Hun,
and myself were also arguing that even TLS (transport level security),
or in other words an extra encryption envelope over the recovery
information is an improvement.  (Particularly if you do as I argue for
and try to make the TLS keys user owned where possible, and try to
make the system as forward secrect as possible).

However the biggest point of all is that: communications keys are more
valuable to any attacker (government, unscrupulous little brother, or
industrial spy) than storage keys.

I would be interested to see any one willing to burn their
reputational capital refuting that simple point.

That point is the simple central starting point for all arguments
about the dangers of allowing recovery information to be transmitted
with the communication.  Recovery information should be local
whereever possible.  Bruce Schneier had harsh words to say about
violating this principle in one of his recent cypherpunks posts.

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`







More information about the cypherpunks-legacy mailing list