James Mickens on security
Robert J. Hansen
rjh at sixdemonbag.org
Wed Aug 13 17:05:19 CEST 2014
Microsoft Research's James Mickens wrote several humorous columns for
USENIX in which he interspersed brilliant insights with side-splitting
humor. I just found his "This World We Live In," which has a good bit
about PGP in it. You can find his original at:
http://research.microsoft.com/en-us/people/mickens/thisworldofours.pdf
"[C]onstructing a public-key infrastructure is incredibly difficult in
practice. When someone says 'assume that a public-key cryptosystem
exists,' this is roughly equivalent to saying 'assume that you could
clone dinosaurs, and that you could fill a park with these dinosaurs,
and that you could get a ticket to this "Jurassic Park," and that you
could stroll throughout this park without getting eaten, clawed, or
otherwise quantum entangled with a macroscopic dinosaur particle.' With
public-key cryptography there's a horrible, fundamental challenge of
finding somebody, *anybody*, to establish and maintain the
infrastructure. For example, you could enlist a well-known technology
company to do it, but this would offend the refined aesthetics of the
vaguely Marxist but comfortably bourgeoisie hacker community who wants
everything to be decentralized and who non-ironically believes that Tor
is used for things besides drug deals and kidnapping plots.
Alternatively, the public-key infrastructure could use a decentralized
'web of trust' model; in this architecture, individuals make their own
keys and certify the keys of trusted associated, creating chains of
attestation. 'Chains of Attestation' is a great name for a heavy metal
band, but it is less practical in the real, non-Ozzy Osbourne-based
world, since I don't just need a chain of attestation between me and
some unknown, filthy stranger -- I also need a chain of attestation *for
each link in that chain*. This recursive attestation eventually leads
to fractals and H.P. Lovecraft-style madness. Web-of-trust
cryptosystems also result in the generation of emails with incredibly
short bodies (e.g., 'R U gonna be at the gym 2nite?!?!?!?') and
multi-kilobyte PGP key attachments, leading to a packet framing overhead
of 98.5%. PGP enthusiasts are like your friend with the
ethno-literature degree whose multi-paragraph email signature has
fourteen Buddhist quotes about wisdom and mankind's relationship to
trees. It's like, I GET IT. You care deeply about the things that you
care about. Please leave me alone so that I can ponder the
inevitability of death."
More information about the Gnupg-users
mailing list