Send cryptography mailing list submissions to cryptography@metzdowd.com

1. Send cryptography mailing list submissions to
2. cryptography@metzdowd.com
3.  
4. To subscribe or unsubscribe via the World Wide Web, visit
5. http://www.metzdowd.com/mailman/listinfo/cryptography
6. or, via email, send a message with subject or body 'help' to
7. cryptography-request@metzdowd.com
8.  
9. You can reach the person managing the list at
10. cryptography-owner@metzdowd.com
11.  
12. When replying, please edit your Subject line so it is more specific
13. than "Re: Contents of cryptography digest..."
14.  
15.  
16. Today's Topics:
17.  
18. 1. Making models + scenarios realistic (John Denker)
19. 2. Re: Making scenarios realistic (Ralf Senderek)
20. 3. Re: Making scenarios realistic (Phillip Hallam-Baker)
21. 4. Re: Making scenarios realistic (Ralf Senderek)
22. 5. Re: Making models + scenarios realistic (Ralf Senderek)
23.  
24.  
25. ----------------------------------------------------------------------
26.  
27. Message: 1
28. Date: Sun, 14 Apr 2019 23:54:36 -0700
29. From: John Denker <jsd@av8n.com>
30. To: Phillip Hallam-Baker <phill@hallambaker.com>, Cryptography Mailing
31. List <cryptography@metzdowd.com>
32. Subject: [Cryptography] Making models + scenarios realistic
33. Message-ID: <03ccef17-4658-ba23-c0ea-df34a9ed46e8@av8n.com>
34. Content-Type: text/plain; charset=utf-8
35.  
36. On 4/13/19 8:02 AM, Phillip Hallam-Baker wrote in part:
37.  
38. > So the reason Alice and Bob are worried about Eve overhearing their
39. > conversations is that Alice is married to Eave but she really wants to have
40. > an affair with Bob who is really interested but a little worried that Alice
41. > might turn out to be an axe murderer. And yes, Alice does have an axe
42. > hidden under her bed because she is 4'11" tall weighing less than 100lb and
43. > Bob is the Naval mixed martial arts champion.
44.  
45. But is she /exactly/ 4'11" ????
46.  
47. > My point here is not humorous.
48.  
49. Yet the scenario is ludicrous. The rococo details tell us that
50. this scenario covers a set of measure zero in a very large space.
51.  
52. Scenarios are infinitely important, but other considerations
53. are also infinitely important. In particular, you have to have
54. some sort of /model/. It's like high-school chemistry, where
55. you collected some data points and then fitted a straight line
56. to them:
57. -- The line is the model, with some adjustable parameters. It
58. allows you to interpolate between the data points, and to
59. extrapolate.
60. -- Scenarios play the role of data points. They allow you to
61. pin down the adjustable parameters in the model.
62.  
63. A good model incorporates your /understanding/ of the situation.
64. This understanding allows you to limit the number of parameters
65. in the model, which in turn reduces the number of scenarios that
66. are needed to constrain and test the model.
67.  
68. > brittle
69.  
70. Yes. Data points by themselves are infinitely brittle. They
71. have measure zero in a very large space.
72.  
73. Three of the smartest guys I know just got the Turing prize for
74. work that revolves around this principle:
75. *Without the model the scenarios are useless ... and vice versa.*
76.  
77. https://www.vox.com/future-perfect/2019/4/4/18294978/ai-turing-award-neural-networks
78. https://www.wired.com/story/godfathers-ai-boom-win-computings-highest-honor/
79.  
80. > people ask me about that scenario all the time.
81. >
82. > Ooops, sorry. Nobody has ever asked me about it, they just did it anyway
83. > knowing that there was a risk even though they were worried about it at the
84. > time.
85.  
86. Not only have they not asked; they wouldn't have had a
87. language to use for asking the question even if they wanted
88. to, even if they realized it was an important question.
89. They would have had no way to specify which details of the
90. situation are important to them and which are not.
91.  
92. > The cryptography is the easy part.
93.  
94. Yes.
95.  
96. > The hard part is working out what the scenarios should be.
97.  
98. Again: The scenarios are absolutely necessary but they are
99. not the only hard part, or even the hardest part. One must
100. also have a sharable understanding of what the security
101. model is /supposed/ to do. Scenarios can be used to test
102. understanding, but they do not create understanding.
103.  
104. A model is tantamount to a formal language for specifying
105. what you want. As always, language design is only secondarily
106. a language issue; understanding has to come first. Otherwise
107. the language becomes impossibly complex and inscrutable, to
108. the point where it is useless even to experts, not to mention
109. laypersons such as Alice.
110.  
111. Offering an encyclopedia of scenarios and asking Alice to
112. choose one is not feasible.
113.  
114. I once had a student pilot who didn't want to build explicit
115. mental models of the situation. She just wanted to practice
116. until she had seen all the scenarios. I explained that during
117. landing there are 12 different things you need to worry about.
118. If we oversimplify it to the point where each variable can
119. have only three different values (high, nominal, and low) that
120. still leaves us with half a million scenarios, and it would be
121. spectacularly infeasible to learn them all by rote. Instead
122. you must use /understanding/ in order to factor one infeasible
123. problem into 12 feasible problems, and then master those.
124.  
125. Obviously we have "some" understanding of what security policies
126. are supposed to do, but I'm not convinced it is enough, except
127. perhaps in certain tightly circumscribed micro-domains. For
128. example, consider the PGP "web of trust". What does that even
129. mean? For one thing, trust is not transitive, and secondly,
130. trust is hard to quantify. It's not even one-dimensional. I
131. have some neighbors whom I would trust to borrow the proverbial
132. cup of sugar but wouldn't trust to borrow my car or my credit
133. card.
134.  
135. Also: The /language/ issue runs both ways:
136. -- We need a way for Alice to tell her IT guy what she wants.
137. -- We also need a way for Hillary's IT guy to tell her about
138. the threats, in a way that she understands, e.g. that maybe
139. the inconvenience of using two-factor authentication is
140. small compared to the inconvenience of having your campaign
141. pillaged and burned by Fancy Bear.
142.  
143. Bottom line: A floridly detailed scenario is, ironically, a
144. way of illustrating the limitations of scenarios. We also
145. need models aka languages and (!) understanding.
146.  
147.  
148. ------------------------------
149.  
150. Message: 2
151. Date: Mon, 15 Apr 2019 10:04:32 +0200 (CEST)
152. From: Ralf Senderek <crypto@senderek.ie>
153. To: Phillip Hallam-Baker <phill@hallambaker.com>
154. Cc: Cryptography Mailing List <cryptography@metzdowd.com>
155. Subject: Re: [Cryptography] Making scenarios realistic
156. Message-ID: <alpine.LFD.2.21.1904151000350.3897@laptop.senderek.ie>
157. Content-Type: text/plain; charset=US-ASCII; format=flowed
158.  
159.  
160.  
161. On Sat, 13 Apr 2019, Phillip Hallam-Baker wrote:
162.  
163. > Perhaps a business model for a Web MetaNotary is selling the key escrow service to Alice.
164.  
165. Now that selling key escrow seems to be the business model you fancy,
166. you may put this study
167.  
168. (https://www.schneier.com/academic/paperfiles/paper-key-escrow.pdf)
169.  
170. on the new enterprise's web site.
171.  
172. --ralf
173.  
174.  
175. ------------------------------
176.  
177. Message: 3
178. Date: Mon, 15 Apr 2019 11:27:42 -0400
179. From: Phillip Hallam-Baker <phill@hallambaker.com>
180. To: Ralf Senderek <crypto@senderek.ie>
181. Cc: Cryptography Mailing List <cryptography@metzdowd.com>
182. Subject: Re: [Cryptography] Making scenarios realistic
183. Message-ID:
184. <CAMm+LwiBzQEqGpAJdp0=M=7518NVgSRuxL3h4ct3xDDWPmemUQ@mail.gmail.com>
185. Content-Type: text/plain; charset="utf-8"
186.  
187. On Mon, Apr 15, 2019 at 4:04 AM Ralf Senderek <crypto@senderek.ie> wrote:
188.  
189. > On Sat, 13 Apr 2019, Phillip Hallam-Baker wrote:
190. > > Perhaps a business model for a Web MetaNotary is selling the key escrow
191. > service to Alice.
192. >
193. > Now that selling key escrow seems to be the business model you fancy,
194. > you may put this study
195. >
196. > (https://www.schneier.com/academic/paperfiles/paper-key-escrow.pdf)
197. >
198. > on the new enterprise's web site.
199. >
200.  
201. I have made no such decision and I will just point out that most folk who
202. have claimed they know what my business model is have proved to be wrong in
203. the past.
204.  
205.  
206. The paper is from 1997. Think about that for a while. Back then we thought
207. that the biggest issue any crypto system had to address was how to
208. absolutely guarantee any possibility that the FBI could gain any imaginable
209. advantage in any circumstance whether realistic or not.
210.  
211. Yes, I know that the paper addresses the legitimate uses of local escrow
212. and if you look at the architecture I have in the Mesh, it follows largely
213. the approach suggested. But the paper itself was written as a rebuttal to
214. Louis Freeh when he was approaching peak crazy. A few months after it was
215. written, Freeh conspired with a corrupt prosecutor to impeach a President
216. in revenge for being snubbed on the key escrow issue.
217.  
218. It was ideology, not security.
219.  
220. And it hurt us badly because instead of actually solving real problems
221. people needed solving and delivering products that they could use, we
222. insisted on addressing really difficult problems like end-to-end secure
223. email and sneering at partial solutions such as transport security.
224.  
225. STARTTLS is pretty much the only email security in place today. We got it
226. ten years later than we could have had it and we ended up with end-to-end
227. email take up of about 2 million S/MIME and 2 million OpenPGP users having
228. registered a key - about -.1% of users. and they use it for maybe 1% of
229. their email.
230.  
231. We spent inordinate amounts of time making sure that IPSEC delivered
232. 'perfect' forward secrecy and as a result delivered a specification that
233. still doesn't actually work out of the box, is a pig to use and can only be
234. made tolerable with proprietary hacks.
235.  
236. Ideology does not deliver security.
237.  
238. As with the end-to-end arguments paper, this is a paper that is shared far
239. more often than it is read. The arguments made in the paper are not the
240. same as the ones that people seem to think. I suggest people read it. They
241. may well be surprised.
242.  
243. That said, it is a pity that the group didn't include any people with
244. experience of running a commercial CA. Otherwise they would know that there
245. is actually a very solid reason for escrowing signature keys and every CA
246. makes use of it. On the other hand, very few people were doing that in
247. 1997. I wasn't one of them then.
248. -------------- next part --------------
249. An HTML attachment was scrubbed...
250. URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190415/dff45e57/attachment-0001.html>
251.  
252. ------------------------------
253.  
254. Message: 4
255. Date: Mon, 15 Apr 2019 19:39:26 +0200 (CEST)
256. From: Ralf Senderek <crypto@senderek.ie>
257. To: Phillip Hallam-Baker <phill@hallambaker.com>
258. Cc: Ralf Senderek <crypto@senderek.ie>, Cryptography Mailing List
259. <cryptography@metzdowd.com>
260. Subject: Re: [Cryptography] Making scenarios realistic
261. Message-ID: <alpine.LFD.2.21.1904151924190.3657@laptop.senderek.ie>
262. Content-Type: text/plain; charset=US-ASCII; format=flowed
263.  
264.  
265.  
266. On Mon, 15 Apr 2019, Phillip Hallam-Baker wrote:
267.  
268. > The paper is from 1997. Think about that for a while. Back then we thought that the biggest
269. > issue any crypto system had to address was how to absolutely guarantee any possibility that the
270. > FBI could gain any imaginable advantage in any circumstance whether realistic or not.
271.  
272. In 1997 I happened to know people who already tried to broaden the user
273. base of PGP keys in an academic environment including the improvisation of
274. user interfaces to PGP. But the common mindset was the opposition to key
275. escrow in any form, because key escrow is very different from key
276. availabilty/backup which was a pain in the neck back then, and still is.
277.  
278. > [...] we ended up with end-to-end email take up of about 2 million S/MIME and
279. > 2 million OpenPGP users having registered a key - about -.1% of users. and they use it for maybe
280. > 1% of their email.
281.  
282. Even if your numbers were correct (in the open source community a handful
283. of keys secure the integrity of a large number of OS packages, and almost
284. all users are unaware of their "use" of GPG keys) the lesson to be learned
285. here is that key management is the problem to be solved. But it has to be
286. solved in a way that the user can contol himself, not by key escrow.
287.  
288. --ralf
289.  
290.  
291. ------------------------------
292.  
293. Message: 5
294. Date: Mon, 15 Apr 2019 22:31:32 +0200 (CEST)
295. From: Ralf Senderek <crypto@senderek.ie>
296. To: John Denker <jsd@av8n.com>
297. Cc: Phillip Hallam-Baker <phill@hallambaker.com>, Cryptography
298. Mailing List <cryptography@metzdowd.com>
299. Subject: Re: [Cryptography] Making models + scenarios realistic
300. Message-ID: <alpine.LFD.2.21.1904152229100.5451@laptop.senderek.ie>
301. Content-Type: text/plain; charset=US-ASCII; format=flowed
302.  
303.  
304.  
305. On Sun, 14 Apr 2019, John Denker via cryptography wrote:
306.  
307. > Again: The scenarios are absolutely necessary but they are
308. > not the only hard part, or even the hardest part. One must
309. > also have a sharable understanding of what the security
310. > model is /supposed/ to do. Scenarios can be used to test
311. > understanding, but they do not create understanding.
312.  
313. And that's why I've asked for a threat model for the MESH.
314.  
315. --ralf
316.  
317.  
318. ------------------------------
319.  
320. Subject: Digest Footer
321.  
322. _______________________________________________
323. cryptography mailing list
324. cryptography@metzdowd.com
325. http://www.metzdowd.com/mailman/listinfo/cryptography
326.  
327. ------------------------------
328.  
329. End of cryptography Digest, Vol 72, Issue 6