(The subject line may be provocative, but please don't think I'm arguing that 
it's not useful.  I don't know.  I just had an idea a couple of days ago, and I 
figure it might be worth some discussion.)



OpenPGP takes its origins from ClassicPGP, which in turn comes out of a 
military threat model of the sort that was more or less standard policy 
everywhere from WW2 forwards:

Attackers can apply significant resources to interception, and they already 
know who they want to intercept
Communication technicians are trained, skilled and motivated
Communication channels are centrally defined and structured
Communiqués must be secure for decades or more

There are other elements, but these four are what interest me right now.  
OpenPGP defends quite neatly against point one, point two explains why it's 
okay for OpenPGP to have a learning curve like the Matterhorn, the Web of Trust 
(which is to say, a loose confederation of CAs) follows from point three, and 
long-term security is point four.

Now, while there are still environments in which those four criteria hold, the 
modern day seems to mostly be governed by four different principles:

Attackers need distinguishment more than interception
Defenders are unskilled and perhaps incompetent
Communication channels are ephemeral, media-hopping and ad hoc
Most people don't care if an individual email — or even a series of them — gets 
compromised

"Distinguishment versus interception" may need some explanation.  Intercepting 
communications is not very hard: finding what communications need to be 
intercepted is a labor of Hercules.  We are, figuratively speaking, drowning in 
a sea of irrelevant and useless data.  The major task is not being able to read 
the information, but being able to pick signal out from noise.  Distinguishment 
— differentiating signal from noise — is more important than interception — 
picking up the signal once you know what it is.

With respect to communication channels being ephemeral, media-hopping and ad 
hoc: today it's not unusual for a conversation to begin in SMS, hop to 
Facebook, migrate to email, and finish on IM.  Whatever tool we use to secure 
our messages needs to be as media-agile as our conversations.

And finally, most people simply don't care if their emails get read.  Open a 
stand outside a McDonald's offering "FREE BIG MAC AND FRIES FOR YOUR EMAIL 
SERVER PASSWORD" and see how many coupons you give away.  Odds are good that 
the loudest voices of outrage would come from Burger King and Wendy's, and 
they'd shut up once you set up booths outside their restaurants, too.[*]



... So, finally, here's my Modest Proposal.  Encrypt each communication 
(Facebook post, SMS, whatever) with a random 40-bit key.  Throw the key away.  
Send it.  The only way for your recipient to recover the key is to brute-force 
the message.  By our existing standards this would be absolutely crazy: and 
yet, it would foil large-scale Hoovering of email messages (adding that work 
factor to each email message would make large-scale analysis difficult), would 
address point 2 by getting rid of the learning factor ("install this plugin and 
that's all you have to do"), would address point 3 by being broadly applicable 
over a large swath of the problem domain, and if someone recovers a particular 
message anyway... well, as point 4 shows us, "meh."

(Note: if the phrase "Modest Proposal" wasn't enough of a giveaway, this is not 
a serious proposal.  It's a thought experiment, just something I found to be 
interesting enough to spend a few minutes contemplating.)






[*] Some years ago while teaching a computer literacy class, I had the 
undergrads reading David Brin's "The Transparent Society."  In it, Brin 
suggests offering a free Big Mac with a mouth swab and driver's license, and 
plugging these DNA samples into a database of unsolved crimes.  He cheerfully 
argues there are no privacy concerns since it is so obviously a bad idea, and 
yet people will voluntarily choose to do it anyway despite knowing it's stupid. 
 The class had a good talk about this.  The next Monday a couple of students 
talked to me after class.  "After class last week, we went down to the Pita 
Pit.  We were sitting around talking about how stupid Brin's idea was and how 
he was wrong and nobody would be that stupid ... and then we realized we were 
saying this while we were filling out credit-card applications in order to get 
a free pita."  When I asked them what they did next, they shrugged.  "We felt 
kind of stupid.  But we filled them out, got our free pita, and started talking 
about something else."

You can lead a horse to water, and you can even give the horse a straw, but...


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to