A single break system that was deployed is 100% better than a system that will never be deployed.
We have tried doing the undeployable approach to secure email for thirty years and it has not worked yet and shows no sign of becoming more deployable in the future. If we go back to the earliest security work at the O/S level by the likes of Tony Hoare and Butler Lampson we get to the idea that all security sensitive actions should be funneled through a single gating point that is pervasive. That works really well in the O/S world because in practice you can't stop a policy enforcement point from being a potential point of failure. The reason I dislike the peering model is that instead of one single point of failure you end up with fifty single points of failure. If Alice has her private key on every device that can read email then the loss of any one of those devices exposes her key and all the emails. On Wed, Feb 15, 2012 at 11:30 PM, Martin Rex <[email protected]> wrote: > Kyle Hamilton wrote: >> >> Phillip Hallam-Baker <[email protected]> wrote: >> > >> > So now we see why security policy driven by MUA published security >> > policy is going to fail: there is no consistency in the MUA loop. I >> > read mail on four separate devices. They have no way to communicate >> > between themselves to negotiate a common security policy and I >> > certainly would not want them to. >> >> 'Certainly'? You wouldn't want your systems to work together to >> seamlessly and transparently add protections to all of your personal >> intellectual property, permitting secure access from devices which you >> enrolled or otherwise authorized, with potentially a completely >> transparent and automatic secure authorization process? You wouldn't >> want your systems to automatically and securely manage your utility >> and ceremonial keys so that your command is the only one which can >> permit their application? You wouldn't want your systems to implement >> key expiration and rollover, or automatically enroll new keys into >> new PKIs as such would become useful? >> >> I'm sorry, but I would. And I do. > > I certainly would NEVER want that. > > What you're calling for is a "single break-in" system, where breaking > into one of your devices enables the attacker to immediately take > posession of all your other devices for free. > > -Martin -- Website: http://hallambaker.com/ _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
