[messaging] The Simple Thing

Ben Laurie ben at links.org
Thu Oct 2 03:25:25 PDT 2014


On 25 September 2014 09:48, Trevor Perrin <trevp at trevp.net> wrote:
> Moxie made a cost/benefit argument for TOFU+fingerprints, instead of
> transparency logs:  they both do "roughly the same thing" [3] in
> detecting key changes, but supporting TOFU and fingerprints is easy,
> whereas transparency logs require a new infrastructure of logs,
> monitors, gossip protocols, publishing all addresses, etc.
>
> On the list, no one answered Moxie with a detailed argument as to how
> transparency logs add enough benefit to justify the cost, compared to
> the "simple thing".  It seems like an open question.

Well, I'll bite...

Some time, Moxie wrote:
> On 08/28/2014 11:51 AM, zaki at manian.org wrote:
> > The purpose to CT is not to protect users from MITM attacks. The purpose
> > of CT is protect the operators of key directories from coercion and the
> > network from malicious/subverted key directory operators. CT will permit
> > a response that complying with a lawful interception order will result
> > in a significant loss of business for a directory operator. Keys will be
> > non-repudiable and thus it will clear after an adverse event who
> > facilitated the MITM attack.
> >
> > Specifically, Google and Yahoo are large commercial entities that want
> > to operate an encrypted communication network without key escrow in a
> > way acceptable to their lawyers. The current operators of large e2e
> > networks(iMessage, BBM) use key escrow as part of their compliance
> > regime with lawful interception orders.
>
> Even in that context, I'd love to hear why you think "the simple thing"
> doesn't accomplish the same goals.
>
> > "Keys will be non-repudiable and thus it will clear after an adverse
> > event who facilitated the MITM attack."
>
> I still don't understand how this is true.  All that "we" see is that a
> key changed, which is a completely normal event and will be happening at
> a rate which is probably difficult for "us" to even keep up with.  All
> "we" really have is the word of the user that something in the log is
> inappropriate.  I don't see any other real definitive "proof."
> So what's the difference between CT and "the simple thing?"  In both
> cases, all we have is the word of the user that something they claim to
> be amiss is amiss.

The difference is that with CT the user whose key changes necessarily
becomes aware that it has changed. In "the simple thing?" only the
targeted user of the key is aware of this change.

I think I agree that once the user sees this and declares it to be
wrong, then the rest of the world has no proof that the user is
correct, in either case. But surely greater detection rates are still
an improvement?

In other words, the question of proof that a key change was not
initiated by (or on behalf of) the key owner is orthogonal to the
question of how the owner detects such a change.

At the very least, if I find out about a change of my key that I did
not authorise, then _I_ know not to trust the service that did it,
even if I can't convince you.

> > "CT will permit a response that complying with a lawful interception
> > order will result in a significant loss of business for a directory
> > operator."
>
> It seems like, in the CT case, the provider is essentially saying "by
> performing this MITM attack, the user *could* be one of the few that
> notices, in which case we'd be in big trouble."
> Isn't this just as true for "the simple thing?"  The provider can say
> "listen, this user's client *could* alert them to a key change, in which
> case we'd be in big trouble."

The point is that in the CT case the key owner is necessarily informed
that the change has occurred. In "the simple thing?" the only person
who is aware of a key change is the targeted user, who does not know
whether the change was expected or not.

> They seem to offer roughly the same "legal coercion" properties, but the
> CT scheme is way more complex, doesn't offer realtime MITM protection,
> has a spam problem, and will likely result in the provider being falsely
> accused on a regular basis.  The false accusations might even weaken the
> "legal coercion" case, if they're frequent enough.

It seems odd to argue that scheme A is better than scheme B because A
reduces the chance of detection of badness vs B and thus doesn't raise
the problem of what you do about that badness...

BTW, it seems to me that getting to the state where key changes are
rare would be useful in either case.


More information about the Messaging mailing list