Re: A brief comparison of email encryption protocols

Jueneman@gte.com
Thu, 22 Feb 1996 17:25:18 EST
Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Bill Wohler: "Use of multipart/encrypted"
Previous message: Dave Crocker: "Thursday morning quarterbacking..."
Maybe in reply to: Raph Levien: "A brief comparison of email encryption protocols"
Mark Feldman said:

>PEM mandates X.509 certificates, the use of a single, trusted root
>(the IPRA), and provides an ad-hoc method for transmission of
>certificates and CRLS in the absence of X.500 servers.  Bootstrapping
>trust in the IPRA's certificate is the only step that requires out of
>band verification.  PEM is quite clear about what constitutes a
>trusted certificate.  This was apparently too much standardization for
>many who wanted a more flexible trust mechanism.  The delay in getting
>the IPRA up and running did not help.

I would quibble about a couple of points.

Certainly PEM mandated the use of X.509 certificates, and the flaws in the V1 
version were thereby magnified and finally corrected with the V3 definition. If 
all of the time and effort that wne into the PEM discussions accomplished 
nothing else, that was still a notable accomplishment, for now we have an 
infrastructure that we can make real progress on.

PEM did NOT mandate the use of a single, trusted root.  Far to the contrary. It 
explictly acknowledged the need for multiple, independent domains of identity 
assurance, called Policy Certification Authorities, or PCAs, that would 
establish a standard around which others of a similar inclination could gather. 
But there never was ANY expectation that it would be possible to bootstrap 
"trust" up to the IPRA.

The IPRA served one primary and one secondary function. It provided a means of 
syntactically validating the public keys of the PCAs, thereby potentially 
easing the problem of providing out-of-band verification for those different 
domains. But there was never any requirement that a given PCA register with the 
IPRA, nor were any guarantees ever made or even implied that the IPRA would 
enforce any notion of "trust" between potentially competing, and possibly even 
warring factions. I'm sure that to this day Jeff Schiller would be equally 
happy to register the KGB and CIA PCAs, the Mafia and the FBI/Interpol, macys 
and Gimbels, and the IRA and the English government, all in one great big happy 
family. Would that mean that they would be willing to "trust" each other, just 
because their keys were centrally listed and registered? Don't be silly!

The secondary function it was supposed to solve is still a major problem. If 
oridinary individuals, or Residential Persons in X.500 jargon, are to be 
identified in a manner that is considered globally unambiguous, then some form 
of hierarchical name registration would be required. Since the various states 
seemed to be no more eager to rush in and deploy an effective name registration 
fucntiuon than anyone else, it was recognized that someone would have to play 
tie-breaker in the event two people claimed the same name. This becomes even 
more of a pressing issue if, for privacy reasons, people do not want to 
disclose their full residential street address. I submit we still have this 
problem, and the only effective way to guarantee uniqueness without violating 
privacy is to use a CA name plus serialNumber approach in the DN, relegating 
the non-unique commonName to alternateName.

But back to the issue of the trusted root. I certainly recall extensive 
discussions with Steve Kent and others regarding various IMPLEMENTATION OPTIONS 
for managing an end-user specified and controlled cache of trusted 
certificates, commencing with the user's own. No one had a problem with that, 
and that provided the end user, the person who ultimately has to make the real 
decision as to whom he trusts, with the ability to add as many single 
individuals, small hierarchies, or even large cross-linked hierarchies that one 
could reasonably ask for.

What PEM didn't do was:

1. Support the PGP notion of transitive trust. If I trust you, and you trust 
Jim, and Jim trusts Guido, then necessarily I must trust Guido.That was, and 
still is, so contrary to the way life really works that my mind boggles. I 
think someone demonstrated fairly recently that even in actual practice, not 
just theoretically, a chain of trust only has to be 7 or 8 nodes long in order 
to reach or know every person on the planet. But an introduction still doesn't 
constitute a necessary and sufficient condition for trust.

2. Support the notion of one CA or one individual belonging to two or more 
certificate hierarchies. This wasn't due to any particular philosophical 
disinclination towards mesh networks, but rather to the particular constraints 
imposed by the existing definition of X.509, and in particular the DN 
constraints. On balance, considering the amount of hard intellectual work it 
took to come up with X.509 v3 and the amount of time before it began to be 
accepted today, I don't think that was a "wrong" decision.

The REAL problem with PEM, I submit, was the fact that despite our own 
predelictions, there simply wasn't sufficient market demand for a commercial 
security product. People scarffed up the free PGP, to be sure -- perhaps as a 
toy, and perhaps to sort of stick a finger in the Establishment's eye -- but 
how many people do you see frequently _using_ it even now, much less four or 
five years ago. MIME compatibility was of considerable interest to the cutting 
edge Internet techie and visionariess, but was an insignificant nit with 
respect to PEM's lack of acceptance.

It wasn't until Mosaic burst on the scene, and the price performance of PCs and 
modems came down to the point that the mass market could start to play with the 
Internet that a serious concern began to develop for security (assuming that it 
has even now). Now even the funny papers talk about computer viruses (and not 
just Dilbert, either), and you see http address on pack benches and bus 
advertisments that weren't written as graffitti, and people like my 85 year old 
father are about to buy their fourth computer. Suddenly the concept of global 
communication has come of age, and with it a new sense of both opportunity and 
perhaps danger. 

And finally, even if there had been a hidden, pent up demand for encyrption and 
signature products, there wasn't the necessary ubiquitous CA infrastructure. 
Still isn't, but at least we are getting close -- maybe six to twelve months 
away. In the meantime there were huge issues of liability that had to be dealt 
with, the absense of any statutes or case law, etc. I wasn't involved and have 
no direct knowledge, but I would bet someone a steak dinner that the reason why 
it took so long to get the IPRA operational had nothing whatsoever to do with 
technical difficulties.

The real driving force is going to be electronic commerce, at least as far as 
supporting the development of the CA infrastructure. Now that MasterCard and 
Visa have reconciled their differences and put their seal of approval on the 
concept, I think electronic credit card shopping is going to take the world by 
storm. And that in turn will support the existance of CAs for other but similar 
purposes. And finally we'll get our secure e-mail. Amen.

Sorry for the diatribe, but I wanted to set the record straight for those who 
may have tuned in late.




Bob

Robert R. Jueneman
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254
Jueneman@gte.com
1-617/466-2820

"The opinions expressed are my own, and may not 
reflect the official position of GTE, if any, on this subject."
Next message: Bill Wohler: "Use of multipart/encrypted"
Previous message: Dave Crocker: "Thursday morning quarterbacking..."
Maybe in reply to: Raph Levien: "A brief comparison of email encryption protocols"