[messaging] confidentiality trumps authenticity was: OpenPGP Trust is broken Was: On Signed-Only Mails

[Phillip Hallam-Baker]

On Thu, Dec 8, 2016 at 9:09 AM, holger krekel <holger at merlinux.eu> wrote:

> On Thu, Dec 08, 2016 at 08:10 -0500, Phillip Hallam-Baker wrote:
> > ​There are two sets of problems identified relating to signed emails.
> > CIA: Confidentiality, Integrity, Availability.
> >
> > The first, most important consideration in virtually every system is to
> > protect the availability of the data. The second most important is
> > integrity. Confidentiality is the least important concern.
> >
> > A bank that is hacked and customer bank details are disclosed is in
> trouble
> > but a bank that is hacked and has money stolen is in worse trouble and a
> > bank who loses its account data and cannot recover it from backups is a
> > ex-bank.
> >
> > All documents should be signed but only confidential documents need to be
> > or should be encrypted.
>
> Humans are not banks ... i am not sure this analogy is very helpful.
> People who are targetted and easily imprisoned say in Turkey or Egypt
> certainly care a lot about confidential communications and might be able
> to assert authenticity by other means than digital signatures.
>

​Arguments from dissident use cases are rarely made by people with
experience of serving their needs.

The authorities don't usually care about the content of communications. If
Alice is a dissident and they know she has talked to Bob then its twenty
years in the gulag for Bob regardless of what the messages say.

So traffic analysis is a very high concern. But you also need
authentication because that is the way that the authorities attack
networks. If I can get a person accepted into an online jihaddi forum, I
can quickly own that group.​

​
Confidentiality is certainly a big concern. And that is one reason I refuse
to have direct conversations with any dissidents, I am far too visible for
them to risk talking to me. The best, most certain way to prevent breach of
confidential information is not to have any.

But availability is still king and integrity is still queen. What those
people are risking their lives to do is to get the information ​out. That
is an availability concern.

If you have a system that provides for Integrity, you don't need
confidentiality because you don't need to publish information that puts
lives at risk in any form. If you know that a document was written by one
of the Federalist papers authors, you don't need to know who that is to
take notice of it.



> I currently agree with RFC7435 "Opportunistic Security" [*] which
> values encryption higher than authentication if it helps to defend against
> passive attackers. Conversely, if preventing active attacks makes a
> system more complex so that its adoption goes down and most people are
> thus not even safe against passive attacks we have failed.
>

​I think you have the argument mistaken there.

RFC7435 is talking about preventing mass surveillance. And that is a
confidentiality problem. OpenPGP is not designed to prevent mass
surveillance, ​and there are few tools less suited to that task than
OpenPGP and S/MIME. Other than sending an email to the NSA saying 'look at
me', I can't think of anything more likely to label you as a risk than
sending encrypted messages in an unencrypted transport.


​Back in the 1990s when OpenPGP and S/MIME were designed, crypto was
expensive. It took seconds to perform operations. Even with Raspberry Pi
class devices, crypto is essentially free since the CPU can encrypt faster
than the ethernet port can shovel bits.

​Back in the 1990s it was transport layer security OR message layer. Today
it is both.

Opportunistic encryption is certainly useful at the message layer and it is
practically free. But that doesn't mean authentication is more useful. And
RFC7435 is not an argument against authentication.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20161208/5650ca70/attachment.html>