Re: [Cryptography] Why human-readable IDs (was Re: Email and IM are ideal candidates for mix networks)

2013-09-05 Thread Peter Gutmann
"Perry E. Metzger"  writes:

>I can think of no circumstances where I would voluntarily use LDAP as the
>solution to any problem of any sort.

"Our direct competitor has asked us to recommend a technology for .  What should we recommend to 
them?".

(Bit of an artificial example, but between that and Corba you can really mess
up someone's business).

Peter.
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why human-readable IDs (was Re: Email and IM are ideal candidates for mix networks)

2013-08-29 Thread Dave Horsfall
Please stop using that stupid "Reply All" function; I'm on the list, and 
will hence see your reply anyway.

I don't need my own bloody personal copy of it.

-- Dave
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why human-readable IDs (was Re: Email and IM are ideal candidates for mix networks)

2013-08-29 Thread Perry E. Metzger
On Thu, 29 Aug 2013 01:18:59 +1000 (EST) Dave Horsfall
 wrote:
> On Wed, 28 Aug 2013, Perry E. Metzger wrote:
> 
> > Anyway, I've already started implementing my proposed solution to
> > that part of the problem. There is still a need for a distributed
> > database to handle the lookup load, though, and one that is not
> > the DNS.
> 
> (Delurking)
> 
> This suggests the use of LDAP.

I can think of no circumstances where I would voluntarily use LDAP as
the solution to any problem of any sort.

In any case, you will note that LDAP does not actually solve the
problem statement as I gave it: that is to say, users must be able to
join the system without the permission or assistance of systems
administrators.

-- 
Perry E. Metzgerpe...@piermont.com
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why human-readable IDs (was Re: Email and IM are ideal candidates for mix networks)

2013-08-28 Thread Phill

On Aug 28, 2013, at 11:18 AM, Dave Horsfall  wrote:

> On Wed, 28 Aug 2013, Perry E. Metzger wrote:
> 
>> Anyway, I've already started implementing my proposed solution to that 
>> part of the problem. There is still a need for a distributed database to 
>> handle the lookup load, though, and one that is not the DNS.
> 
> (Delurking)
> 
> This suggests the use of LDAP.


 I don't see that at all. In fact I think that nothing has hurt deployment of 
PKI more than LDAP. 

The problem for the email client is very simple:

"What is the key etc. to send email to al...@example.com"


I can solve that very easily with a HTTP lookup or a very short Web Service 
with JSON query syntax. If LDAP is involved there will be a consultant setting 
up the directory and building fancy DIT trees and racking up bills of $100,000+ 
for something that makes no difference to the actual query.

Now if the certs are already in an LDAP directory then fine, lets pull data 
from that resource. But if they are not in LDAP already there are much easier 
ways to interface a database of certs to a query interface.


___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why human-readable IDs (was Re: Email and IM are ideal candidates for mix networks)

2013-08-28 Thread Dave Horsfall
On Wed, 28 Aug 2013, Perry E. Metzger wrote:

> Anyway, I've already started implementing my proposed solution to that 
> part of the problem. There is still a need for a distributed database to 
> handle the lookup load, though, and one that is not the DNS.

(Delurking)

This suggests the use of LDAP.

-- Dave
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why human-readable IDs (was Re: Email and IM are ideal candidates for mix networks)

2013-08-28 Thread Jerry Leichter
A different take on the problem:  Would something built around identify-based 
encryption help here?  It sounds very tempting:  My email address (or any other 
string - say a bitmap of a picture of me) *is* my public key.  The problem is 
that it requires a central server that implicitly has access to my private key. 
There are some proposals around to work around that (e.g., by constructing the 
key from a combination of keys from different key generators).  But we could go 
another route:  I can run a key generator on my own hardware.  That doesn't 
quite solve the problem, since you now need a secure way to find my key 
generator - any generator will happily tell you how to encrypt using 
leich...@lrw.com to generate the public key, and *it* will have the 
corresponding private key.

I don't quite see how to make this work, but IBE seems like a primitive that 
might be helpful, somehow.
-- Jerry

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why human-readable IDs (was Re: Email and IM are ideal candidates for mix networks)

2013-08-28 Thread Christian Huitema
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

This is exactly the problem that Kim Cameron and I tried to solve by developing 
what we called "call signs." The idea is to compress the hash of the public by 
solving a puzzle: find the arbitrary "salt" so that the hash of the salt and 
the public key ends with a large enough number of zeroes. (Or 1, or any 
arbitrary patterns.) Publish then the "call sign" as a  fraction of the hash, 
say the leading bits, that is short enough to be memorized, or at least written 
on a napkin. Of course, you have to verify that N bits of call signs + M zeroes 
is long enough to provide a strong hash.

The birthday paradox tells us that collisions will happen after 2^(N/2) users 
in the same space. We assumed that the practical length was at most 10 
characters, 50 bits, which means collisions would happen after a few million 
users. We mitigated that by adding a human identifier in the mix, making the 
call sign something like "Perry.A32-H45Z-ZE0." Now the collisions only happen 
in the space of "all people named Perry", which is much smaller than 
"everybody."

Of course, this was a Microsoft project, which Microsoft did not choose to 
develop. And it was patented...

- -Original Message-
From: cryptography-bounces+huitema=huitema@metzdowd.com 
[mailto:cryptography-bounces+huitema=huitema@metzdowd.com] On Behalf Of 
Perry E. Metzger
Sent: Wednesday, August 28, 2013 5:53 AM
To: Jerry Leichter
Cc: Wendy M. Grossman; cryptography@metzdowd.com
Subject: [Cryptography] Why human-readable IDs (was Re: Email and IM are ideal 
candidates for mix networks)

On Tue, 27 Aug 2013 23:52:23 -0400 Jerry Leichter 
wrote:
> But none of that matters much any more.  "Publication" is usually
> on-line, so contact addresses can be arbitrary links.  When we meet
> in person, we can exchange large numbers of bits between our
> smartphones.  Hell, even a business card can easily have a QR code
> on the back.

Just as an FYI, this describes exactly zero of the times that I've
gotten people's email or jabber addresses in recent years. Very
typically people have written them down for me, told them to me over
the phone, or the equivalent. I've had to read mine over the phone a
fair bit, too.

I wouldn't know how to trust publication online in the first
place.

"Perry Metzger's email is "
"How do I know that's true?"
"Because it is encrypted in "
"What if that's a lie? I've never heard Perry utter "
"What, you don't trust me? No dishonest person has a web server!"

If someone tells me they're f...@example.com, and I have a trustworthy
way of mapping f...@example.com into a long lived key (see my first
message in this sequence of three that triggered this discussion),
life is a lot better. I think this alone is a lot of why X.500 died
so fast compared to SMTP -- the addresses were simply untenable, and
they were at least in theory human readable.

Anyway, I've already started implementing my proposed solution to
that part of the problem. There is still a need for a distributed
database to handle the lookup load, though, and one that is not the
DNS.

Perry
- -- 
Perry E. Metzgerpe...@piermont.com
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (MingW32)
Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/
Charset: utf-8

iQEcBAEBAgAGBQJSHgr0AAoJELba05IUOHVQdwgH/2bhJZYagObK1yzl27r9w+BP
ests/CMmUOVxnAnICY0MeoH5/GLbyNX2u5ZKGh32DikoTCFEHpMItgxpT8hQpEtD
81j5NV4X2qRaYc183C0HGxpJe2Cq2vQNAVGTJbJAV08dDZuu2W/IxuPsBjF0U3p+
yxham0qSnbngYSNBi31WXg4X08EV/Z3H5NoTsWkiHfSs+LLcyT9uNXwi7IxP4tmU
filmYGKBIdw16A9wGuqAy/V7edFG4tqgNtVdKH+yAYDGwY7NW+NYzOQCn8HOMQ4w
sxXMDuUEg+KQ1PvtfIgk3tfTSEb45Rsiu9VH2Vir9PKOzzCzQIneJvG2V8nCDdI=
=AtVw
-END PGP SIGNATURE-

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why human-readable IDs (was Re: Email and IM are ideal candidates for mix networks)

2013-08-28 Thread Jerry Leichter

On Aug 28, 2013, at 8:52 AM, Perry E. Metzger wrote:

> On Tue, 27 Aug 2013 23:52:23 -0400 Jerry Leichter 
> wrote:
>> But none of that matters much any more.  "Publication" is usually
>> on-line, so contact addresses can be arbitrary links.  When we meet
>> in person, we can exchange large numbers of bits between our
>> smartphones.  Hell, even a business card can easily have a QR code
>> on the back.
> 
> Just as an FYI, this describes exactly zero of the times that I've
> gotten people's email or jabber addresses in recent years. Very
> typically people have written them down for me, told them to me over
> the phone, or the equivalent. I've had to read mine over the phone a
> fair bit, too.
The apps to make the transfer easy don't exist, so we still use the old 
mechanisms.  Think about the absurdity:  You have a high-speed digital 
connection to someone, and rather than using it to transfer a couple of hundred 
bits reliably, you encode it ambiguously in an analogue waveform, write it down 
on a piece of paper, then type that data back in.  Yes, it works - but does 
that sound like a rational way to do things?

> I wouldn't know how to trust publication online in the first
> place.
In exactly the same way you trust paper publications that contain today's style 
of addresses.

> 
> "Perry Metzger's email is "
> "How do I know that's true?"
And exactly how is this different from "Perry Metzger's email is 
pe...@piermont.com"?

> "Because it is encrypted in "
> "What if that's a lie? I've never heard Perry utter "
> "What, you don't trust me? No dishonest person has a web server!"
> 
> If someone tells me they're f...@example.com, and I have a trustworthy
> way of mapping f...@example.com into a long lived key (see my first
> message in this sequence of three that triggered this discussion),
> life is a lot better.
A minority of people have addresses that are easy to remember.  Most - by far 
the majority - have some random-looking set of letters and digits with some 
part of their first or last name or a nickname embedded somewhere inside at 
gmail or yahoo or some institution.  You can say "Well, if everyone has their 
own server, then they can pick their own name" - but then you end up with 
non-memorable domain names.

Frankly, I have trouble remembering the last time I got someone's email address 
by having them tell it to me.  Most addresses come to me these days from LDAP 
or a similar institutional database; or embedded in a mail message (like one of 
the ones on this list); or printed somewhere.  Since I got a domain name way 
back when it was actually possible to get three-letter names, I have an address 
that's reasonably easy to tell people - so I'll often tell them, after they've 
rattled off something I'll certainly forget within minutes - "write to me at 
leich...@lrw.com so I'll have your address".  :-)
 
> I think this alone is a lot of why X.500 died
> so fast compared to SMTP -- the addresses were simply untenable, and
> they were at least in theory human readable.
X.500 died because everything it was connected to died.  And in the end it 
never actually got to the point where it solved anyone's problems.

> Anyway, I've already started implementing my proposed solution to
> that part of the problem. There is still a need for a distributed
> database to handle the lookup load, though, and one that is not the
> DNS.
It's perfectly reasonable to have human-name-to-computer-identity maps.  It's 
certainly something I depend on all the time at a local level:  Mail.app knows 
tons of addresses I use, and if all else fails I can, and do, search my 
previous email's to find someone's address.  (That makes for a much more 
flexible, and useful, person database than any stand-alone database I've seen:  
I can search based on anything I can remember about the person, such as what he 
wrote about, when we last corresponded, who else was involved in the 
conversation.)  Large institutions have their own internal databases.  But a 
global database seems rather pointless to me.  There are too many people with 
similar names.  Try using LinkedIn to find someone who you only know a bit 
about by name.  Sometimes it works; sometimes you find ten people who *might* 
be the person you're looking for.

The whole notion of talking securely to someone who you yourself have no way of 
specifying uniquely is incoherent.  No clever implementation can help.

-- Jerry


> Perry
> -- 
> Perry E. Metzger  pe...@piermont.com

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Why human-readable IDs (was Re: Email and IM are ideal candidates for mix networks)

2013-08-28 Thread Faré
> There is still a need for a distributed
> database to handle the lookup load, though, and one that is not the
> DNS.
>
What do you think of namecoin?

—♯ƒ • François-René ÐVB Rideau •Reflection&Cybernethics• http://fare.tunes.org
Truth comes as conqueror only to those who have lost the art of receiving it
as friend. — Tagore
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Why human-readable IDs (was Re: Email and IM are ideal candidates for mix networks)

2013-08-28 Thread Perry E. Metzger
On Wed, 28 Aug 2013 10:24:43 -0400 Jerry Leichter 
wrote:
> > I wouldn't know how to trust publication online in the first
> > place.
>
> In exactly the same way you trust paper publications that contain
> today's style of addresses.

But I don't. As I said, I typically get a friend or collaborator's
email address from them or from someone else I know. I don't get them
from paper publications, or QR codes. Often as not they are literally
written on cocktail napkins at conference receptions.

> > "Perry Metzger's email is "
> > "How do I know that's true?"
> And exactly how is this different from "Perry Metzger's email is
> pe...@piermont.com"?

If you meet me and I say it to you, I'm probably reasonably correct
about it. If you ask a mutual friend what it is (possibly by email),
they're probably reasonably correct.

> A minority of people have addresses that are easy to remember.

That's not true, actually. I know because I make a habit of not using
an address book in my mail program. In any case, "easy to remember"
isn't the issue, "easy to scribble down accurately" is.

> Most - by far the majority - have some random-looking set of
> letters and digits with some part of their first or last name or a
> nickname embedded somewhere inside at gmail or yahoo or some
> institution.

So, I just did a check. I have a file with all the addresses I care
about in it (I manually cut and paste them into email when I want
to.) It has 625 addresses in it. Of those, 47 have digits in them. I
note that the vast majority of those are addresses of people at
Columbia University, which has a particularly bad naming system but
where I have a lot of correspondents. Of the rest, the majority are
things like "m...@example.com", or "joe.exam...@gmail.com" -- easy to
write on a cocktail napkin.

I note exactly none of the addresses contain 10 digits of base 64.
Even the numeric ones are things like "jrn26" for someone with those
initials, which is pretty easy to scribble down.

> Frankly, I have trouble remembering the last time I got someone's
> email address by having them tell it to me.

For me, it was Monday, over the phone.

Anyway, we both have our opinions here, I'm sure we're not going to
come to a single agreement. I'm implementing something based on my
hunches, I invite others to do the same.

Let a thousand flowers bloom...

Perry
-- 
Perry E. Metzgerpe...@piermont.com
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography