Orthogonality and Disaster Recovery

Kent Crispin kent at bywater.songbird.com
Sun Oct 26 01:40:33 PDT 1997



On Sat, Oct 25, 1997 at 01:52:05PM -0700, Tim May wrote:
> One of the themes of modern computing I strongly support is that of
> "orthogonality," or clean functionality. A browser should not also try to
> be a money management program. A word processor should not also try to be
> an accounting program.
[...]
> 
> A crypto program like PGP is intended to encrypt messages between a sender
> and a recipient, or to provide authentication through signatures, or to
> encrypt files on a storage medium. These are the classic, well-documented,
> oft-discussed functions of crypto.

You are missing the less well-documented, but equally classic function
of key management, which is a part of any useful crypto system.  The
key management part of it *could* exist as a separate program from the
encryption/decryption part, but they are *far* more closely tied than
word processing and accounting, and what you would have is a crypto
*system*, composed of several relatively tightly coupled programs that
share complex data formats.  Such a crypto system would be quite
useful, and would allow the construction of all kinds of other
products by using scripting languages.  However, the ergonomics of
such a crypto system would not be appropriate for the average point
and click MacWindows Moron. 

[...]

> If properly modularized and orthogonalized (so to speak), such crypto
> programs can then be used as building blocks for other tasks, like
> remailers, data havens, and so on.
> 
> But there is a growing tendency, as seen in the bloatware examples of
> browsers and spreadsheets mentioned above, to throw in all kinds of "wish
> list" and "wouldn't it be nice" stuff. PGP is headed for bloatware. ("It's
> not just a crypto program, it's also a tax preparation  and disaster
> planning program!")

I think you are quite off base here.  There is very little additional 
functionality added by CMR; and the enforcement *is* done by a 
separate program.

[...]

> But are such bloatware crypto programs even good for disaster recovery?

Nice try, but the bloat, if any, comes from the gui and other stuff, 
not the crypto functionality.  PGP 5.x, from a user interface point 
of view, is much simpler than previous versions -- it integrates very 
cleanly and unobtrusively with the system on the MacWindows platform.

[...]

> I am also not terribly interested in convoluted, byzantine schemes for
> building "CDR" and such into crypto programs, as some are proposing. Again,
> this is trying to make a crypto program into a disaster preparation
> product, and trying to (partly) solve backup and disaster problems best
> solved in other ways. Not something PGP should worry about (either the
> program or the company).

Are you nuts?  Of course PGP, Inc, should be worrying about this kind 
of stuff.  They *need* new products to survive.

> "What if Alice forgets her key?" (Loses her private key, forgets her
> passphrase, whatever.)  A very real concern. A concern I have myself. I
> won't say how I deal with it, for security reasons, but it ain't something
> I expect PGP, Inc. to solve _for_ me. Nor is my solution, whatever it is, a
> step toward GAKking of keys, or any kind of building of an infrastructure
> for surveillance.

Fine -- you use your personal solution.  PGP, Inc is trying to 
provide solutions that work in an organizational setting, where 
forgotten passwords are a constant fact of life, and where the 
security issues are vastly different from your situation.

[...]

> As this relates to PGP, it just ain't their problem to try to answer the
> demands of control freaks in corporate MIS departments that backdoors be
> built into crypto products.

If they want to survive as a company, it is.

> PGP, Inc. should stick to its core business, and not try to build in
> snoopware backdoors for control freak MIS managers.

Just precisely what is their core business, Tim -- supplying freeware 
to Cypherpunks?
 
> If it is claimed that corporate America is demanding these backdoors, our
> industry and community then faces a major educational battle.

"If it is claimed..."? Of course it is claimed -- it's a fact.  And
yes, there is a major educational battle -- ivory tower cypherpunks
have to educate themselves about the nature of the world.  You
believe, apparently, that large organizations contemplating crypto are
just misguided or duped by evil governments into doing the devil's
work.  Until you actually grok what is going on you will never be all 
that effective in dealing with it.

-- 
Kent Crispin				"No reason to get excited",
kent at songbird.com			the thief he kindly spoke...
PGP fingerprint:   B1 8B 72 ED 55 21 5E 44  61 F4 58 0F 72 10 65 55
http://songbird.com/kent/pgp_key.html







More information about the cypherpunks-legacy mailing list