Re: Security Problems

Brad Knowles (brad@his.com)
Wed, 6 Mar 1996 04:58:40 -0500
Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Brad Knowles: "Re: Draft of workshop notes"
Previous message: Terry Ritter: "Re: Security Problems"
Maybe in reply to: Terry Ritter: "Security Problems"
At 3:34 AM 3/5/96, Terry Ritter wrote:

> >    In order to make intelligent decisions about objects (you're
> >across a 2400 baud modem line,
>
>  I'm sorry, but I just cannot suspend my disbelief about designing
>  a future protocol with a major concern for 2400 BPS modems.

    The point is not 2400 baud modems -- the point is that no matter
*what* speed you've got between you and your message store, there
*will* be times when it is equivalent to a garden hose attempting to
drain Hoover Dam, relative to the amount of data in a single blob to
be accessed on the remote end.  And in that kind of situation, you
really, really, want to be able to make the most intelligent
decisions about that kind of data that you can.


    Remember -- data grows to exceed capacity, no matter how large
the capacity is.  People used to say that there would never be a need
for more than fourteen computers in the entire world.  People used to
say that no one could possibly ever make use of more than 64KB RAM.
People used to say a lot of things, but the reality of it is that no
matter what you think is so large as to be virtually infinite, a lot
sooner than you or anyone else can possibly realize, that size will
become uncomfortably small.

>  If one wishes to hide what is in the box, one cannot open the box
>  on a server even to make sure what it is.  If one wants to open
>  these things on the server, tell the source to use by ordinary
>  e-mail.  Simple as that.

    I disagree.  This is a specification for a pretty system that
virtually no one will ever use because it is too hard to get at
what's inside until it's too late.


    Water flows through a clenched fist, and people will beat a path
to someone else's door because I can guarantee that there are people
implementing secure email technologies that do not agree with your
philosophy, and I think a significant percentage of people will find
your approach far too restrictive.

> >I didn't think so....  The prospect
> >of encrypting your private keys, uploading them to the server so that
> >it can use them to temporarily decrypt the objects to make
> >intelligent decisions about them, and then trust that the server will
> >remove its in-memory cop{y/ies} of the key(s) in question is not a
> >particularly attractive one, either....
>
>  Even having such keys in server memory is a BIG mistake.

    That much I'll agree on.  However, since the appraoch of several
people on this list appears to be "saying you can't do it at all is a
total non-starter", I have to assume that this then *requires* you to
find some sort of optional alternative.  You don't have to turn it on
by default, but it does have to be able to be utilized.

>  Fine, I agree that we want people to use it.  But it is my
>  understanding that this is a *security* standard.  If people want
>  to send things now, they can.  What this proposes to add is
>  *security*.  And for what I would consider fairly flimsy reasons,
>  you're ready to infringe upon security.  I'm not.

    Security is not what you define it to be.  If the user decides
that something does not need to be protected, then *they* are
defining security to be something other than what you are letting
them do.  And since you're constantly restricting them from doing
things that they want to do, they'll simply go somewhere else.  Just
how much security have you really added to their system?

>  I don't have all the answers.  I do have security concerns.

    I don't have all the answers, either.  Heck, I don't think I have
any of the real answers.  I think I can ask good questions, and
(using myself as a yardstick), I think I can guess as to what some
users are likely to want to do.  And if I can't do what I want to do
with your standard, then I'm going somewhere else.  Period.

    We can't let that happen.  We have to be flexible enough that we
can accomodate the desires of the power users, as well as the
security concerns of the truly paranoid (companies like RSA have
people who get paid to be far more paranoid than should be legal
outside of an asylum ;-), while still managing to be useful enough to
the "common person" that they will actually be likely to use the damn
thing.  And that's one heck of a tall order.

        -Brad

--
Brad Knowles,                                  MIME/PGP: brad@his.com
    comp.mail.sendmail FAQ Maintainer     <http://www.his.com/~brad/>
        finger brad@his.com for my PGP Public Keys and Geek Code
The comp.mail.sendmail FAQ is at <http://www.his.com/~brad/sendmail/>
Next message: Brad Knowles: "Re: Draft of workshop notes"
Previous message: Terry Ritter: "Re: Security Problems"
Maybe in reply to: Terry Ritter: "Security Problems"