(This is a long mail; if this discussion should be taken off-list, let me know. I know it doesn't fit in its original thread.)
On Fri, Dec 19, 2008 at 4:08 AM, Ian G <i...@iang.org> wrote: > On 19/12/08 05:57, Kyle Hamilton wrote: > >> Self-help chat message boards are a rather odd concern, > > Not sure what you mean by "odd" ? Social networking is all the rage. 'odd' in that if they're to participate in any kind of infrastructure, that infrastructure needs to be able to adapt to them, and the situation as it exists right now doesn't. > Um. What about "create the nym-authenticator online, without verification." > ? This is the one that works, and the one that they use. Why not just add > PK to that? Erm... I'm not sure what you mean here. The 'verification' (as far as it would go) would be "the user has logged in", and (hopefully) require the re-entering of the account's password before issuing the certificate. Since it's supposed to be low-value, and the purpose (at least my purpose, I'm not sure about yours :)) is to enable social usage of cryptography, the mechanisms by which the environments already protect themselves shouldn't be altered. The point is to make it something almost insanely easy to accomplish -- create the certificate while online, then use it offline. This separates the identity-consumer (the certificate verifier) from the authenticator (who is trusted by the members of its social network, since the authenticator is the Absolute when it comes to identities in its context/jurisdiction). Some sites use email-based verifications, which create links between the email address and the community nym. > OK. That's an example that is similar to mine. People need separations in > their lives. I agree. With indexed information on the rise, it's far, far too easy to undo the separations. http://www.wired.com/politics/onlinerights/news/2008/12/open_pacer is relevant here; it says that Carl Malamud (who's trying to open up access to PACER-kept records) had to stop Google from indexing all the cases he has available on his site because there's a lot of private information in those public records. >> Linking the pen-name with legal/employment identity would be >> deleterious, since courts have held that companies can reasonably >> expect certain standards of behavior from their employees, even >> without explicitly delineating those standards. However, slashfic >> writers often go to science fiction conventions, and when they do they >> often want to be known by their pen-names. The convention itself >> needs to know the legal name, for its own protection -- but those >> membership lists are generally not considered "freely accessible >> information". > > This is a constructed example, albeit one that is popular in USA perhaps and > Britain. I've seen this sort of requirement in discussions in Britain, but > there is a political element to it. > > In other places, people would ask "why does the convention need to be able > to link the two names?" I should probably clarify the difference between the two usages of 'convention'. Sci-Fi conventions are events that are run usually by corporations, to maintain the legal separation of convention liability from the people who actually run the things. In order to do this, it must maintain its due diligence, including knowing who it (or other attendees) might need to sue. This is a situation where there's a legal need for identity -- or, put another way, a need for legal identity. (as well as age checks, requiring government-issued identification cards.) However, the attendees of the convention usually don't worry about all that stuff. They (mostly) don't want to break the rules, and the requirement that the convention committee (or 'concom') know legal identity tends to keep out the troublemakers. But, between themselves, they're there primarily to have a good time and enjoy themselves -- it's like the largest 3- or 4-day party you've likely never attended. This means that it's a social environment, thus nicknames/pseudonyms come into use. So. The convention corporation needs to know legal identity, while the convention attendees (usually) do not. The convention corporation does need to be able to cover its ass when it comes to what badge was issued to whom, though, and as a courtesy they usually allow one or more pseudonyms to be named on the badges (though not all nyms must be listed there). All it really needs to care about (from a legal standpoint, to be able to comply with discovery and other legal processes) is what the badge number is, as the unique identifier. The database of identifier-mappings is not made public. This policy meets even European privacy laws (in fact, there's a lot of conventions that happen over in Europe). > This could be where we get cultural differences again. The European > perspective would be that data protection regimes give them that possibility > anyway, and if not, there is a potential breach of law going on here. > Whereas the American perspective would be that the marketing of the names > is considered more a corporate right, and it is a trade for a cheaper price. I don't really understand this point? I understand the difference between European and USian perspectives on privacy. The basic rule of European privacy is, as far as I understand it, "don't disclose private information outside the organization, and make sure that it's well-secured from theft and misuse". The USian perspective is "just try not to do it, okay?" > Having identified a linkability requirement, I think the answer is more > complicated than either group would have it. The badge number and legal identity are linked. The badge only really needs to be displayed when you're going into convention-leased areas, and can be hidden after you show your credential to the door checker. It should be noted that the furry crowd has also taken to creating badges for their "fursonas". This is very much like an advertisement of nym. Not everyone does it, though -- which means that the individual is in control of the nym-linking. (However, since the badges don't have any link to any actual person, they're not directly linking those nyms to themselves. The capability is there if necessary, but it's not used unless or until it's necessary.) > Ah, OTR. There is at least one howler in OTR; starting with the premise > expressed by the name: Off-the-record. > > This is a classic case of how cryptographers completely misunderstood legal > concepts of records. The concept is more that it provides plausible deniability, generally within social contexts. I have had a couple instances where I was given a thoroughly corrupted message that I acted on without double-checking. Those created some fairly spectacular dramabombs. >> It's only as "precisely wrong" as the identities that are embedded >> into the certificate. > > No, this is moulding the PKI to fit the apparent needs. Yes, it is. The infrastructure must be flexible, or it'll never be used. Literally, you cannot build something solely for business and expect people to beat a path to your door. You have to make it social, you have to make them want to use it in the first place. This is where PKI is, right now -- even if it's designed to be flexible, operationally it's inflexible, and it causes problems because there's a chilling effect from the possibility of losing job and such when the legal name is used... There's no reason why these "social identities" need to be treated as anything other than a separate category of nym. And there's no reason there shouldn't be a means of authenticating those nyms. > For those users, they don't want any linkability. At all. They don't trust > any concept that says "trust me." In this application, they are deeply > needing of trust, and what they need is to verify for themselves that no > link exists. The requirement is that nobody knows who they are, and some > faceless corporation promising to not reveal it is a non-starter. The link does not need to be created. The only time it's created is when someone discloses that they're also known as another nym. As I mentioned above, this disclosure is not necessary to the convention staff, and this disclosure is not necessary to the convention attendees. They can verify for themselves that no link exists, because they're the only ones who know about it. "Three can keep a secret, if two are dead." > (OK, so there are some obvious flaws here, such as IP# linkability ... > despite this, social networking works, in a way that a formal PKI design is > less likely to.) What, so I shouldn't be trying to use a standard to create a means for these identities to be used without having to be online to verify/authenticate with the community identity arbiter? > I admit I don't know where to go to change that. When I consider that some > of the changes suggested will sell vastly more certificates, and they are > still rejected out of hand because they breach some philosophy or other, it > is hard to know where to turn to. I've been trying for a few years to suggest alternative user interfaces that would not only make things less damaging to the proponents of security tool salesmen, but less damaging to user acceptance of those tools. The current UI design in Firefox, frankly, sucks more than the first generation design, and the first-gen design sucked large rocks sideways through wet paper straws. > One of the key security and marketing tools is brand, which is employed by > standard security designs since before the net existed (think ATMs). If you > look at Firefox, the *security* side declines to use brand as a security > tool, even with the new EV thing. One of the benefits of EV was that it > finally presented the user with something to hang their risks & liability on > -- a brandname -- and finally connected security end-to-end. ...and the social sites have more branding than the CAs that are in the browser. They could run nymous CAs and they'd be trusted more -- and it'd be more socially useful than the dead weight of current operation. > Yet, on the very next box to the right, google and other search engines are > happily branding away. Is it any wonder that people trust search engines > more than they trust CAs? Not at all. People even trust Wikipedia more than CAs. >> You're viewing it from the POV of a corporation again. > > Actually, no; users are the most frequent employers of "fix it later" > security. E.g., they commonly sign up to reveal their innermost secrets on > these social networking sites, and blithely make mistakes about identity and > traceability all the time. Some judge in Australia allowed "service by Facebook". http://www.telegraph.co.uk/news/newstopics/howaboutthat/3793491/Australian-couple-served-with-legal-documents-via-Facebook.html Even a GOVERNMENT trusts social sites more than it should. > Ah. Look, I would interpret this differently, I would say that Software is > using Cryptography to solve its problems where they are found. Software is > best oriented towards reliability, and certain classes of problems need very > reliable checksums, for which hashes fit admirably. > > (Security is a subset of reliability.) 'security' is the concept of reliable data, which often (though by no means always) needs to be reliably only between two people. Other aspects exist, including the possibility of someone tampering with the data that is interpreted by the computer as code. > But, in this sense I fully agree, this is how crypto should be used (and is > used in the best designs, even if I do say so myself). > > http://iang.org/papers/fc7.html > > Skip down a page to the colourful diagram :) You just inadvertently linked another aspect of your identity -- I knew "Ian G", but not that your last name is Grigg. I'm going to read this in more detail after I finish this message, but the overview I'm getting is that it's well-thought-out and well-researched. >> However, in the >> PDF signature case the attack-protection is primarily a side-effect of >> the timestamp, which is the most useful aspect for thwarting the >> unwitting "attack" of human error. > > I think we are agreed that the PDF signing case presented today isn't a good > use of energy. The amount of energy required is logarithmic to the complexity of the user interface. (one click is one point of energy. two clicks is ten points. three is a hundred. And so on. This dovetails nicely with your comment about Kerckhoff's 6th.) > There are no users on this list, as far as I know. This is a common > complaint of mine: who speaks for the user in a security forum? > > Well, ok, backpeddalling here, there is one other that takes the user > perspective who occasionally posts, but too infrequently (hi David!). I'm actually trying to take the user perspective -- even if only because I'm a user, too. This is an "eat your dogfood" situation -- if it's too complex for me to want to do, then it's too complex for anyone to want to do even once, much less on a regular basis. Are they TRYING to discourage the use of cryptography? >> These things that I'm bringing up (that the PKI would be much more >> useful to everyone if the stringent requirement that only the Legal >> Name be used in the Subject be dropped), > > BTW, I don't believe this exists. In PKI, the documentation clearly permits > a non-legal name (whatever that means) to be used, and even the European > Union preserves that right. Mozilla does not have a policy pronouncement > against this (please correct if I am wrong). If it's not an absolute requirement, then it's still an operational requirement -- because the currently-extant CAs won't let non-legal nyms in. (*note that email is a perfectly valid form of legal service in certain circumstances, so even email addresses are legal nyms.) > The problem is that it is essentially therefore up to each CA to deal with > it, and for the CA, it clashes with the "certificate manufacturing" model > which is so much in favour. The problem the CA would likely face is that > the issuance of nyms brings the CA closer to the liability issue, and until > that is sorted out, nyms are not worth the money. The nyms are already assigned. How is 'aerow...@gmail.com' not a nym? This nym is unique within the world, because only gmail can use the @gmail.com part of the address (rather like an OID, except not necessarily as permanent), and my mailbox name (aerowolf) is unique within its realm. > <hobby> insert here reminder to think about liability problem! </horse> I think the problem isn't so much the liability, it's the fact that there's such a huge barrier to entry for anyone else. ('liability' can be explicitly disclaimed for purposes within which no commerce is sanctioned.) If I had the money, I'd start the process of creating a new certifying authority that could pass Mozilla's muster -- but they require (again, operationally) a WebTrust audit and key material on a tamper-proof device. Unfortunately, I don't know if "the ability to send and receive email with social identities instead of legal identities" would be good enough for the "broad usage" requirement. > :) The world of people doing security stuff with nyms is about 100 times > bigger than the PKI world. All social networking, all webmail, social > forums, chat, gaming, ebay (its origins), for example. Right. I want to bridge that gap. I want to make the PKI available, as a drop-in black box for such software as Drupal and MediaWiki. I want to make it possible to finally get rid of the username/password thing that we've had since near the dawn of the computer age. >> (Hence, the "confusion" aspect: I got >> a mail from GoodReads, saying that some name I'd never heard of had >> invited me to keep up with what he was reading. I mentioned this in >> the chatroom where we often hang out in the evenings, and one of them >> PM'ed me with a "er, sorry... that's me".) > > Right. It worked up until now, which is pretty stunning really. 6 years of > protection, and then only a local breach. Good stuff. Much of this is due to the fact that we have actually poured a bunch of our hearts and souls out to each other, and we finally grew into a trust relationship. But yes -- I was used to interacting with a screen name, and I got used to it. (I still refer to him by that nym, and I address him by that nym, and it's still more natural for me. Sure, I know his legal name... but it's just a piece of information. What's more important to me is that it's a symbol of trust.) > The point is, in offices, they do work. Where a system helps, they use it. > Where it causes problems, they bypass it. People -- real users -- > regularly bypass security systems where they slow the work down. Agreed. And the user interface for the security systems as they exist right now is... part of what slows the work down. > If you would like a theoretical foundation for this, have a look at > Kerckhoffs' 6th principle. It is perhaps the most important principle in > security. I don't know anything more important. > > https://financialcryptography.com/mt/archives/000195.html The system must be usable, or no one will use it. Why do you think nobody uses ciphered mail? (Why do you think I don't use ciphered mail?) >> By the way, Frank? Is there a pool for a Secretary's Day gift for her? :) > > > Is Kathleen a secretary? :) She's certainly performing the duties of one, keeping track of documents, keeping track of progressions of things, and interfacing with the outside world -- and chances are she knows more about the system already than I've learned in my years. Even if she's not a secretary... she's doing a very good job, and I think and feel that she should be recognized for it. > Right. The problem is, everyone who discusses finance ignores people who > don't understand finance, and everyone who discusses law likewise. > > E.g., this is why banks run their own CAs when they get involved in PKI. Risk management. Banks are some of the most heavily-regulated institutions around, and they can't afford to place their risk on an outside party. They can use an outside party to indicate that they Really Are The Bank, but honestly I'm thinking that a bank that wants to run its own CA to identify itself to customers could just as easily pass out a thumb drive with the certificate at account-opening. (And if the bank wants to ensure that its users have certificates, it can generate the keys on the user's behalf, submit the CSR, and get the certificate back from an online customer-identification sub-CA.) >> If you build something for corporations and business, consumers won't >> beat a path to your door -- but if you build something consumers can >> use for fun, and your door happens to be right there, they'll come in. > > Indeed. If your worldview is that you build that way, sure... I think it's obvious that what's been built just isn't attractive to the users at this point. This is endemic and systemic -- from the CAs operating in the manner they do, to the tools never actually having usability studies applied, to the tools not even making any *sense* in their roadblocks, since they handle unsigned content without a hitch (unable to detect modification), but signed-but-modified content has a HUGE WARNING THIS ISN'T WHAT WAS ORIGINALLY SENT... Seriously. Where's the rationality? > Yes. So we see the flaw here: sellers of security like the use of high > training budgets ... and miss the implication that the tool is not useable > easily enough to survive. So security sales are pushed to becoming big up > front investments that frequently fail once we get out of the classroom. I'm being very careful not to wish for a law requiring all computer communications tools to implement some measure of cryptography. Cuz it'd be well-intentioned... and it would utterly destroy any hope for rationality. > Meanwhile, Skype and Firefox breach the corporate security model with > aplomb. Funny how they Just Work, eh? -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
