Trevor, interesting, but there is a huge gain in having an offline or airgapped master key: You can not only re-issue any key that may have fallen into the wrong hands, if your protocol is sufficiently advanced you can prune all the messages from the history that you didn't actually write yourself. By the time your peers come online you might already have cleaned out all the SPAM that was sent in your name. I think this is a huge advantage of master-key-signed approaches.
Tony, I would like to challenge the idea of necessity of a "bootstrap message" - that is to write to a person by either using her master key or encrypting to all currently known keys. If you are in a social relationship with that person you must have absolved a communication bootstrap procedure (using QR codes, shared secrets, social graph adoption or bluetooth handshake.. whatever) and thus you should be having an ongoing ephemeral key for each person you talk to. Both Briar and Pond use ephemerals once the communication is started. The challenge in this case is rather to synchronize the ephemerals among the devices, and that can be done with a pubsub channel link between the devices. Doesn't that make sense? Maxwell, introducing a dependency on a master server to maintain the master key doesn't sound very safe to me. I like that in our model we can generate all the key material offline, then print the master private key on a sheet of paper and wipe the computer's memory of it before getting online. On Mon, Dec 29, 2014 at 08:17:27PM -0800, Joseph Bonneau wrote: > This is a nice protocol but it's solving a different problem being > discussed initially in this thread. I think it's worth starting from the > high-level user experience we want here before diving into the crypto, Yes, I think people can be motivated to use an offline computer for a few minutes to generate keys and have actual physical paper to put in a safe place. From then on they don't need to worry as much about the safety of their devices since they have the power to revert any failures. > because people are already discussing crypto protocols which provide a > pretty different UX. Ignoring setup/pairing, which is a pain in almost any > protocol, there are three possible versions of the "multi device UI" which > have already been proposed in this thread: Do you mean setup/pairing of devices or people? For people there is a viable safe shortcut using social graph adoption, but it needs the implementation of a distributed private social graph. For devices the same technology used for social graph can also be used for linking personal devices, thus keeping devices in sync is no longer an issue. I don't see a need for any of the following scenarios and the implied disadvantages: > *A user has multiple devices, any one of which can read messages if it is > online (Trevor's #2/3/4 all fit here as do all of David's proposals) > *A user has multiple devices, one "master" (or "home server") of which must > be online for the user to be able to read messages at any other device > (this was Trevor's #1) > *A user has multiple devices, two of which must be online to sign something > and set up a channel (2-Schnorr?) > > There are many other combos when you get in to issuing/revoking/changing > keys. For example, you might also use the 2-Schnorr protoocl only to > protect some meta-key to sign other device keys, and not for routine > messages. > > In any case, I would advocate that any system needs to be flexible for > different users to choose multiple options based on their security > preferences. I suspect most users will want a simple baseline UI along the > lines of iMessage (or almost any other chat app) today, which is that you > can enroll any new device instantaneously with a username/password only and > no pairing protocol. I think if you want to design a mass-market system, > anything involving an explicit device pairing-protocol needs to be an > opt-in feature. Consider also the possibility that market logic may not work out as it never has in the past two decades since we "won" the crypto wars. If we let people always take the decision and opt for easy solutions humanity may never experience a secure Internet as they will always pick a compromised solution and mass surveillance will go on, to the detriment of democracy. Consider the possibility that the only way to create an Internet that respects the principles of democratic consititutions could be to put certain basic requirements of end-to-end security into law. http://youbroketheinternet.org/legislation/ is about that, a law proposal for obligatory encryption. What happened to David? I was curious to read his reply to my post! -- http://youbroketheinternet.org ircs://psyced.org/youbroketheinternet _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
