On 08/22/2013 02:36 AM, Phillip Hallam-Baker wrote:
Thanks to Snowden we now have a new term of art 'Prism-Proof', i.e. a
security scheme that is proof against state interception. Having had
> an attack by the Iranians, I am not just worried about US interception.
> Chinese and Russian intercepts should also be a concern.

We have two end to end security solutions yet Snowden used neither. If
PGP and S/MIME are too hard to use for the likes of Snowden, they are
too hard to use. The problem Snowden faced was that even if he could
grok PGP, the people sending him emails probably couldn't.

Observation:  Silent Circle and Lavabit both ran encrypted email services.
Lavabit shut down a few days ago "rather than become complicit in crimes
against the American People."  I would say that's about as close as you can
skate to "We're facing a court order that we're not allowed to tell you
about."  Maybe even closer; we'll be forbidden to know whether anyone
prosecutes them for violating the presumed gag order.  Silent Circle shut
down soon after, saying, "We always knew the USG would come after us."
Which perhaps a little less clearly indicates a court oder they can't talk
about, but that's certainly one interpretation.

Egypt, Oman, and India refused to allow Blackberry to operate with their
end-to-end encrypted devices.  In cases where Blackberry is now allowed to
operate in those jurisdictions it is not at all clear that they are not
doing so using compromised devices whose keys shared with those governments.

Chinese military teams spent so much effort hacking at gmail and facebook
accounts, in order to ferret out dissidents, that Google was eventually
forced to cease doing business in China, and now gmail and facebook both
have some end-to-end encrypted clients.

My point I guess is that we have some evidence that Governments across the
world are directly hostile to email privacy.  Therefore any centralized server,
CA, or company providing same may expect persecution, prosecution or subversion
depending on the jurisdiction.

And it can never, ever, not in a billion years, be clear to users which if
any of those centralized servers or companies are trustworthy.  Google now
implements some end-to-end encryption for gmail but we also know that google
is among those specifically mentioned as providing metadata access to the
US government.  The exact details of Blackberry's keys in Oman, UAE, & India
are now subject to largely unknown deals and settlements.

Therefore, IMO, any possible solution to email privacy, if it is to be trusted
at all, must be pure P2P with no centralized points of failure/control and no
specialized routers etc.  And it can have no built-in gateways to SMTP.  Sure,
someone will set one up, but there simply cannot be any dependence on SMTP or
the whole thing is borked before it begins.  It is time to simply walk away
from that flaming wreckage and consider how to do email properly. S/Mime and
PGP email-body encryption both fail to protect from traffic analysis because
of underlying dependence on SMTP.  Onion routing fails to protect due to timing

So I say you must design your easy-to-use client completely replacing the
protocol layer.  No additional effort to install because this is the only
protocol it handles.

The traditional approach to making a system intercept proof is to eliminate
the intermediaries. PGP attempts to eliminate the CA but it has the unfortunate
effect on scalability. Due to the Moore bound on a minimum diameter graph, it is
only possible to have large graphs with a small diameter if you have nodes of
high degree. If every PGP key signer signs ten other people then we have to 
key chains of 6 steps to support even a million users and nine to support a
global solution of a billion users.

> My solution is to combine my 'Omnibroker' proposal currently an internet 
draft and Ben Laurie's Certificate Transparency concept.

I would start from a design in which mail is a global distributed database, with
globs that can be decrypted by use of one or more of each user's set of keys, 
all globs have expiry dates after which they cease to exist.  Routing becomes a
nonissue because routing, like old USENET, is global.  Except instead of 
message ID's, we just use dates (because timestamps are too precise) and message
hashes (because message IDs contain too much originating information).

No certificate, no broker, no routing information unless the node that first 
about the new glob has been compromised.  Each message (decrypted glob) 
contains one or more replyable addresses (public keys).

If we need more 'scalability' we could set up "channels" discriminated by some
nine bit or so substring of the message hash, and require senders to solve 
until they get a hash with the "right" nine bits to put it in the desired 
Still no routing information as such. Now Eve can tell what channel/s a user is
listening to, but the user has each of those channels in common with thousands
across the world most of whom s/he has no connection with.

Zero-trust anonymous email.

The cryptography mailing list

Reply via email to