don't use encrypt to self (Re: legislating the impossible?)

Carl Ellison cme at acm.org
Sun, 05 Jul 1998 15:24:11 -0400 

-----BEGIN PGP SIGNED MESSAGE-----

At 04:54 PM 7/5/98 +0100, Adam Back wrote:
>
>I commented that in my view encrypt to self should not be used because
>of the risks it adds.
>
>Someone asked me off list why I held this view, so I thought I'd
>comment here too.
>
>The problem with `encrypt to self' is that it places access to
>ciphertext on my disk under the control of a third party -- the
>sender.  What's more I have no idea what precautions the sender takes
>of their key or passphrase -- they might not have a passphrase, or
>have it written on a sticky note on the side of their screen, and they
>may be using a multi user unix system.

Adam,

	that's an important point, but I think there is a more global solution.

	[I was burned by this back at TIS, BTW.  I argued that e-mail keys (e.g., 
PGP) didn't need to be "recovered" by the user because they're 
communications keys.  The response was that people store their mail, as 
received, in their mail folders -- so those communications keys become 
storage keys...and therefore, they needed to be kept for later emergency 
recovery.]

	My idea mailer would keep *all* my mail enciphered, under a personal key of 
my own.  That key would probably be symmetric, rather than asymmetric, and I 
could change it as often as I liked, although by not using it for 
communication, the only threat is theft.  If the mailer does that, then the
keys used in transmission are used only for that length of time.  They really
are communication keys only.

	The passphrase by which I open this storage key should be strong enough to 
keep out a thief who breaks in and steals my computer, but it should also be 
convenient enough that I won't get angry at it each time I use it.

	My preference for achieving that contradiction would be to use

http://www.clark.net/pub/cme/html/rump96.html

for that passphrase -- maybe with 128-bit strength -- but to have the 
storage key not kept in the clear in my memory while I have the mailer open. 
Rather, I would generate a small passphrase (e.g., 3 characters) at random 
and encipher the storage key under that.  Then for each use of the storage 
key, I would demand the little passphrase from the user -- and if he gets it 
wrong even once, delete that copy of the key and go back to the rump96 
mechanism.  I'd also delete that copy after some length of time (user 
settable).

	There are still reasons not to have encrypt-to-self, given this 
architecture, but there would be fewer people desiring to use it if their 
own copy of the outgoing mail were kept strongly encrypted.

 - Carl

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3

iQCVAwUBNZ/S2hN3Wx8QwqUtAQEG4QP/bbT41owzPzN9bCkAUFpJgLwdcdrsKaSy
KEyRlxD3kXM+8Arr7TgWeWr81p436Ys1lsNyVvPU9gA0lWIvTB8iagmW/6XGfAS6
P2+/Qrl6pf4rhf+OmfBNPN0rjwcBGT3BlpJo/OAN6kTK5FEiifQcTTSrMSG7mzLm
ILPgPlNaDR8=
=z2pA
-----END PGP SIGNATURE-----


+------------------------------------------------------------------+
|Carl M. Ellison       cme@acm.org    http://www.clark.net/pub/cme |
|    PGP: 08FF BA05 599B 49D2  23C6 6FFD 36BA D342                 |
+-Officer, officer, arrest that man. He's whistling a dirty song.--+