the migration path (was Re: Your "RIGHT" to Speak to Big Brother)

Adam Back aba at dcs.ex.ac.uk
Tue Oct 21 11:13:51 PDT 1997 



Tim May <tcmay at got.net> writes:
> "We're also asking loyal Americans within companies to send us the CMR
> secret keys. Companies have no right to keep secrets from government. We
> won't allow a company to have policies which prevent loyal Americans from
> providing information to their government."
> 
> By the way, I think the notion that the government will go to great lengths
> to get CMR secret keys is not far-fetched. Until PGP for Business supports
> a richer system of snoopware keys--and my understanding is that PGP 5.5
> does _not_--then the CMR secret key of, say, Microsoft, would be a prize
> indeed.

I think the CMR public key extension is not limited to one CMR extra
recipient per key.  Closely following discussions on ietf-open-pgp,
and the notes Bill Stewart kindly posted to this list (taken from the
description PGP Inc gave at a meeting in the US) it sounded to me that
there is a migration path like this:

pgp5.0: accepts keys with multiple CMR key requests attached but
	doesn't honour CMR requests (? I hope!), and can't generate keys
	with CMR requests 

pgp5.5: generates keys with single CMR requests, can accept and handle
	keys with multiple CMR requests

pgp6.x: will generate keys with multiple CMR requests (and of course 
	honour them too)

This suggests that the yet to be released pgp6.x (or whatever version
number is chosen) will be able to cater to such government demands
merely by the company generating their keys with two CMR requests:

recovery at acme.com
thoughtpolice at nsa.gov

The NSA can publish their public key on http://www.nsa.gov/ tomorrow,
and the law by presidential decree the day after.  This is the
balanced Sword of Damocles over privacy for real now: this is the 
switch waiting to be flicked.  This is why I am upset with PGP Inc
for using the CMR approach.  It is not CMR per se as a neutral 
mechanism, but it is the approach of building tools which
allow third party access, or "recovery" of communications traffic which
has enabled all of this.

This despite their stated corporate user requirement being storage
recovery.

> This is of course a security weakness of the whole CMR approach, exactly as
> with the key escrow database. It is a too-tempting target. Anyone within a
> company with access to the CMR secret key will be incentivized to sell it.

I agree, it is a centralised security risk.  PGP Inc are talking about
adding secret splitting perhaps, but still it is a security risk.  The
whole technique of sending recovery information over the wire is a
security risk.  Recovery information if there is any should be kept on
local disks and thereby be protected by the companies normal physical
security in the same way that papers in filing cabinets are.  This is
the status quo.  (Well actually no encryption at all locally is
largely the status quo, but pgp5.0 (and I presume pgp5.5) is also able
to encrypt files, and PGP Inc argues more reasonably that their corporate 
clients have a requirement of being able to recover stored encrypted 
files also).

Regardless it is trivial to have local storage recovery without
sending recovery information over the wire.  I'll be posting (web and
list) a security analysis of CMR vs CDR presently; I think CMR loses
badly from even a purely security oriented standpoint.  (I have made
my feelings about the political demerits of CMR as a storage recovery
mechanism known already).

> Of course, Microsoft won't be using PGP for Business. Recall that they may
> have their own "software key escrow" program cooking, based on my
> discussion a few years ago with Tom Albertson (sp?) of Microsoft. Bill
> Gates has issued strongly anti-GAK statements, so maybe this is on hold.

Perhaps this is what they are busy building at their top-sikrit crypto
software development/research center at Cambridge, UK under the
guidance of new head of research cryptographer Roger Needham.  
Looks like an export embargo end-run by Bill Gates.

Maybe Bill Gates is a cypherpunk after all, well we can live in hope,
anyway.

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`

More information about the cypherpunks-legacy mailing list