[cryptography] Math corrections

Benjamin Kreuter brk7bx at virginia.edu
Mon Sep 19 19:31:03 EDT 2011

On 09/18/2011 05:11 PM, Marsh Ray wrote:
> B. If your threat model considers as an adversary government A, then
> you're in good company with governments B through Z. So all the comments
> on "won't save you from The Government", while true, are also
> potentially writing off your biggest ally.

Unless, of course, we continue to use the system as it exists today,
where any trusted CA can sign a certificate for anyone.  If a particular
government supports a CA that is "cooperative" with that government,
then either nobody in the world would be safe, or the system will
fracture and we will not have a global PKI.

> C. At the end of the day, governments need to log into their VPNs and
> check their MS Outlook Web Access email remotely just like everybody
> else. Now consider that this applies to process engineers at power
> plants and chemical facilities too. When you hear US DHS people talking
> about "national infrastructure vulnerable to cyber attack" they are
> sincerely concerned about this type of exposure.

So the only trustworthy CAs will be the ones that sign certificates for
power companies or other "national security" related entities?  We need
a system that can be used and trusted (to a reasonable degree) by
everyone, not just big or "important" organizations.

> At some point, the influence of people on the defense side will outweigh
> those who benefit from the attack side.

I doubt this will happen any time soon.  Consider this official (and
apparently still current) FAQ from the Department of Justice:


Yes, that was issued over a decade ago, but "key recovery" -- which we
are meant to believe is not the same as key escrow -- remains the DOJ's
goal when it comes to cryptography.  There is also the more recent push
by the Obama administration to create a system that allows law
enforcement agencies to more easily hijack domain names.

> Now that the cat's out of the bag about PKI in general and there's an
> Iranian guy issuing to himself certs for www.*.gov seemingly at will, I
> think the current PKI system will not escape the black hole at this
> point, it crossed the event horizon sometime earlier this year.

I doubt it.  The cat has been out of the bag on how easily email can be
forged for decades now, but how often do you receive digitally signed
email?  The cat has been out of the bag about running out of IPv4
addresses for many years, but IPv6 deployment has been sluggish.
Without a strong incentive, these things will not change, and the PKI is
no different.  I doubt that the current PKI will be gone by the end of
this decade -- criminal MITM attacks are just not in-your-face enough to
generate a public outcry, and governments are not terribly interested in
thwarting their own law enforcement agencies.

-- Ben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20110919/e0fbd7b6/attachment.asc>

More information about the cryptography mailing list