Would this be anything to do with the UK prohibition of cryptography bill? If so, having read the bill closely, the entire thrust is putting responsibilities on the 'service provider'. Which is clearly conceived as being a large organization that is within UK jurisdiction.
Signal, Wire etc. clearly meet that definition and are vulnerable because they are a large monolithic service. So the only viable strategy for them is to refuse service to UK residents. A service like Signal etc. can provide intercept capabilities in several ways: * Backdoor into the application * Application leaks private key * Public key directory returns key for MITM attacker * Refuse service unless the application supports the required backdoor. The only way to defeat these attacks is for the service to be designed so that the service cannot defect. We have to make it 'zero trust' with respect to confidentiality. But what if there was an open, interoperable service like we have for email? This means users can pick their own client from any provider that implements the spec. That closes down a lot of the attack vectors. It also means that users can be their own service provider. Which completely negates the assumptions built into the bill. The downside to this approach is that open standards tend to evolve rather more slowly than single vendor services. But given that most of the changes seem to turn out to be making the service worse for the user over time to extract maximum rents, this is maybe an advantage. PHB.
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
