good uses for IBE -- non-interactive forward secrecy (Re: Identity-based public key cryptography)

[Peter Fairbrother]

> Adam Back wrote:
[snips here and there]
> Non-interactive forward secrecy is interesting for email security as
> traditional forward secrecy providing protocols such as ephemeral DH
> key negotiation don't work for that application.

They work if the sender can get a DH keypart that the recipient has left
somewhere, eg in the email server. This can be one-time-use or eg changed
daily. This is the offline forward secrecy protocol used in m-o-o-t.

> At least the Cocks IBE scheme seems computationally efficient if
> somewhat communication inefficient.  But I'm not finding the slides
> overly clear.  It looks at one point as if the recipient has to
> interact with the server to decrypt the message, meaning the sender
> can be offline from the identity server, but the recipient hsa to be
> online with it.  If this interpretation is correct, the scheme is not
> interesting.  (Anyone else managed to interpret the slides to
> comment?)

I read it as: the recipient asks the CA for a private key (derived from a
hash of his email address, said hash being his public key and computable by
anyone) which is sent to his email address, which he keeps (securely, on his
laptop!..) and uses thereafter. The authentication of this transaction is
simply that the key will only be sent to the email address (ouch!). The
recipient has to be online to the CA only once, and perhaps not at all - eg
it could be done by email....

BTW, does anyone know what hash is used, or the key-lengths? I have some
ideas for an attack...

Thanks for the ref's

-- Peter Fairbrother