Next message: mea culpa: "[ISN] Anti-Nuke Cracker Strikes Again"
Reply From: Matthew Patton <patton�t_private>
>As we move towards
>electronic commerce, digital signatures that are as legally binding as
>handwritten ones are a necessity. In such a world, certification
>authorities will act as guarantors in much the way that notaries public do
>now.
Forgive me, I'm no crypto, digital signature, or legal expert but having
attended a recent US DoD PKI briefing and spent some time with the speaker
(LCDR P. Friedrichs - most knowledgable) we discussed at length some of
these issues. The problem problem with digital signatures is that while you
have some assurance that somebody had posession of a certificate and knew
the private key, you have no idea if that person is the real holder. Most
private keys are stored on enduser boxes which as most of us IT people are
aware, have not an iota of security. Therefore proving that the key has
always remained under the user's control is impossible. Therefore the much
treasured concept of non-repudiation is unattainable. I also disagree that
ecommerce requires 100% guarentees as to the parties' identities. When you
buy stuff from a street vendor, does he check your license, call up your
office, or do a retina scan? No. He just takes your green backs or credit
card and hopes they aren't fakes. It will be no different in the "wonderful
electronic age."
What prompted me to write this message was the last statement in the above
quote. This concept of a CA guarenteeing anything is preposterous! A notary
is intimately and physically involved in the transaction. A cert authority
/ "trusted 3rd party" isn't. All they provide is a directory of public keys
and attached certificates. Namely infrastructure. (certs = public key +
identity) Therefore the whole chain of trust falls flat on it's face. Ever
wonder just how CA's are going to be assured of your identity? SSN? I don't
think so. Not only is it patently illegal for identification purposes,
getting multiples or for that matter not getting one in the first place is
very much an option.
>"The most important principle," said Richard
>Schlechter for the EC's DGXIII at a recent conference on cryptography in
>London, "is to be sure that if you're doing business over the Internet you
>have a legal signature at the end."
This guy ought to know better. In EVERY non-cyber transaction there are at
least 2 parties in a room who can stare at each other, touch each other, or
talk to each other before putting their signatures on a PHYSICAL piece of
paper. Each party gets a copy as proof. This paper is what is submissable
in court. In a 3 party system you STILL have the notary or adjudicator
physically present. The crux of the issue is that EVERYTHING being done is
physical, tangible. Even if you were to sign a paper and fax it back to the
other party, that's still a physical piece of evidence. In cyberspace you
have no physical representation.
I also disagree that you need a signature to do transactions. The vast
majority of financial interaction is done by ordinary people buying food,
gas, appliances, books, clothes etc. at the local merchant. And nowhere in
this vibrant economy is a signature a neccessity. Sure if you do a credit
card or check payment you give them one, but just try proving the signature
is valid in court. Neither I nor the store can prove it was indeed me who
was there at the checkout line signing my name. Unless you have other
sources of proof like video cameras. Ecommerce is perfect for the little
stuff. If you're doing huge deals, a face to face will always be necessary
I would think.
Will we and society in general accept the premise that faster transactions
and their reduced cost is an acceptable tradeoff with not knowing who we're
dealing with? Will it be declared by legal or legislative fiat that this
flawed model is good enough? That seems to be the case in some states. Do
you really think you can drag somebody into court months or years (maybe
just days afterword) and based on the fact that they 'may' have had
posession of a key at the time, prove that the document is indeed genuine?
Who is going to provide the evidence? The "trusted 3rd Pary"? Hardly. (I
wish we would quit using that term. They can't be trusted in any useful
way. They simply provide the infrastructure as a certificate clearing
house. Are they going to notice that the same public key has been bound to
multiple entities? Or that the same entity has multiple keys? Why should
they care?) What you need is coroborating evidence from a 3rd party who was
a witness to the transaction: a notary for example: a human.
Even more sinister, is that the burden of proof to show that the key
remained under perfect control (or was compromised) rests entirely on the
defendant. Now wait just one minute! That flips the whole principle of
American justice on it's head. Are we going to rewrite the Constitution too
just so we can do ecommerce? I think not.
Is it any wonder then that the financial organizations absolutely pan SET?
These guys MUST worry about stuff holding up in a court.
So is electronic commerce doomed? I don't think so. For all of it's flaws,
PGP is highly popular for privacy though frankly no one uses it to prove
identity. You can personally trust a handful of people, but do you then
turn around and trust the people they trust? Was't it something like 6
degrees of freedom and you'd know everybody in the world?
I think the only viable ecommerce will be anonymous ecash. You can't prove
who you are so why bother figuring it out or worrying about it? Obviously
the bank may care some when they issue you 'credits' but they have a better
chance of knowing who you are if it's a face to face thing.
But what really matters is *NOT* who the person or entity doing the buying
or selling is, it's the genuineness of the "coinage." THAT is the crucial
problem. We solve this in the real world with elaborate printing, special
paper and a HUGE but practically ignored degree of trust. "In God we
trust," no kidding. The trick is to inspire the same confidence in
electronic coins. So is it then sufficient that the bank get a cert from
the Dept of Treasury and issue coin with that cert? Will every merchant be
willing to accept the coins so marked? How do we deal with the literally
thousands of banks and branch offices and each having their own signing
keys? The infrastructure would be non-trivial, not to mention just more
ways in which somebody's key will eventually be stolen. See if the banks
are the ones doing the signing, it's a bit easier to hit them with the law
if they start issuing "fake" coinage.
Then again maybe we should adopt another practice from the real world. ONly
a handful of tightly controlled plants actually print the money in
circulation. It's moved to the banks via truck. So let's say each plant has
their own signing key, all of like 6 total in the USA. Each bank receives
it's "allotment" via a floppy disk carried by a courier. They load the
money into the computer vault and sign the receipt (note, PHYSICAL
evidence). When customers come to them for "money" they fill their smart
cards or whatnot with a series of coins the bank has on hand. The customer
goes out and spends them. Naturally each 'coin' would have to have a unique
ID, just like we have on paper money today. That's easy. The potential
problem is ensuring that the Dept. of Treas keeps those signing keys under
strict control or has a means by which each "batch" of money gets a new key
with a relatively short expiration time. This 'expiring' coinage practice
corresponds perfectly with the Dept of Treas recalling old bills. You
simply revoke/expire their certificate and any such cybercash rattling
around becomes worthless. Naturally there has to be a robust means by which
a customer with "old" coin can trade in his for some of the "new". All
we've done really is exchange a physical representation of money into an
electronic one. None of the long established banking mechanisms has changed
in any significant way. If your are doing bank to bank transfers, you
simply move the digital coins to the other end, making sure you delete them
out of your vault. Otherwise you could have 2 different banks/entities both
claiming to have possession of the same coin. As we all know, computer
snafus aren't exactly rare events.
Do we care if conceivably somebody manages to issue a coin with the same
id's and also gets the signature correct? Isn't that what counterfeiting is
today? I would argue that pulling off a successful fake coin in the digital
age would be rather more difficult than the paper variety. But in truth,
the problem domain is different. A counterfeiter today needs to find the
special paper, the dyes, the patterns, a press etc. Things that require
some doing to acquire. In the digital arena all he conceivably needs is
enough computing power to brute force or otherwise cryptographically break
the signing keys. I hope it is clear then that signing keys will have to be
very long, of good quality, and be changed rather frequently
(semi-annually?).
Much like ATMs and credit cards these days I think we will end up adopting
a strategy that simply puts a cap on liability: acceptable risk vs
convenience. ATM and CC fraud is rampant, all I need is an account number
and a pin. I can dumpster dive or brute force my way in. But note that ATM
withdrawls are limited to 3 to 4 hundred dollars per day in many areas. The
ecommerce equivalent could be say $2000 but as the good CMDR put it, "how
many $2k transactions per millisecond?" Whereas current fraud can be caught
by tracking usage patterns and back channels like video cameras, what are
you doing to do in cyberspace? Arrest the guy on the other end of the
TCP/IP link? But where is the 'other end'. In the physical world the only
parallel we have to source bouncing is the Don having his soldiers do the
dirty work. But law enforcement can still arrest the soldier for actually
committing the crime. You going to arrest Harvard's system admin because
one of his systems was the last jump off point for a guy defrauding
Citibank? I don't think so. It seems if you are peddling fraud insurance,
the 21st century is looking to be an opportunity of a lifetime.
BTW, cryptography is only really useful for ensuring that the private key
holder can read the message. It's when we extend "possession to identity"
that we get into trouble.
So what does this have to do with the DoD trying to use PKI? Well, frankly
if I receive a message via email from general X saying I am to move my unit
12 miles North and prepare to engage the enemy at 0400 I have just as good
if not better assurance that the message is ligit. Today I might get a
phone call from the general or his aide. Do I know his voice? Have I ever
met the guy, know his manner of speach, his intonation? If I do, then my
assurance level is very high. If not, it could be some peon or enemy
playing a sick and deadly joke. How about if I get the directive over the
Telex. Do I have any justified faith in the communications infrastructure
that drives that? Just like with the telcos, what reason do I have for
trusting them? None that I can fathom. Yet we still do.
A perfect example of IMO grossly missplaced trust: the security of SIPRnet.
I think it's simply a matter of showing people the mind boggling degree to
which they have implicitly trusted these more mundane channels of
communication. Doing it electronically is really not such a big leap of
faith. In fact, I think it could be reasonablly argued that the confidence
level is significantly better. Personally, when I see a memo digitally
signed by DefSec. Hamry, I would be inclined to give it more credence than
one I see on paper. After all, maybe his secretary, or someone else
entirely whipped the thing up and forged his signature. I don't know his
signature from John Doe's. Do you? The key upon which this whole house of
cards rests, is naturally the methods by which identity is established and
how well the policy is enforced. Unfortunately when you start distributing
this function to a large number of registration authorities (largely due to
logistical issues) my confidence level plummets. So what are the procedures
and datapoints that together constitute acceptable assurance in
establishing an identity? I haven't the foggiest idea.
This email has wandered far afield of the ISN charter and I appologize. I
will be happy to discuss this further off line with those more knowledgable
than myself.
--------
It is by caffeine alone I set my mind in motion, it is by the beans of Java
that thoughts acquire speed, the hands acquire shaking, the shaking becomes
a warning, it is by caffeine alone I set my mind in motion.
-o-
Subscribe: mail majordomo�t_private with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30
: Fri Apr 13 2001 - 12:57:48 PDT