I don't see why you say there is no mention of economic issues in the document. It looks to me like such issues are pervasive. They drive the entire discussion on mobile platform security, where the main considerations are the limited computing power and bandwidth availability, as well as the need to protect SIM cards (so as to preserve the business model of cell phone companies). Likewise for the discussion of ambient computing research. Surely you will agree that DRM has something to do with economics. E-voting as well is essentially an economic issue in terms of choosing from competing technologies and trying to find new ones which satisfy the economic requirements of a practical voting system. Authentication protocols are a big economic issue which relate to the phishing problem.
As for opportunistic encryption, that's your own personal hobbyhorse and you're welcome to ride it, but I say that a net built on OE would be an insecure net. You can't leave your crypto up to chance, there's too many ways for an attacker to disrupt it and presto, you have no security at all just when you really need it. And the same-key-as-before rule is utterly brittle; if that were the universal basis for security people would get so tired of key-has-changed warnings that they would disable them entirely and you are back to no security at all.
Posted by Cypherpunk at December 28, 2004 01:41 PMIn terms of economic issues: I'll take that one on the chin, yes, there are economic considerations in there, just not the ones I want to see. Well spotted!
"OE:" I would *love* to be associated with that movement, but unfortunately, I'm just a bit of a cheerleader there. You say "a net built on OE would be an insecure net." Yet SSH rocks. Wannabes like SSL get rolled, because they are built on exactly the same false assumptions: we have to make the crypto perfect, nothing else will do. The end result is a flawed and uneconomic security model, but at least the crypto guys are proud of their work.
The way to consider SSH v. SSL, or the "opportunistic" versus "no-risk" models is to consider this: it all depends where you make the leap of faith. (As Adi says, there are no secure systems, right?) In the former, it is in that first key exchange, which you consider brittle. In the latter, it is in the safety and sanctity of the TTP, which I consider stupid. Which is better? Neither, in theory, because we assumed away these difficulties. But in practice, a huge difference pertains: one delivers adequate security to the masses, the other delivers placebo security to the privileged.
Now, to be fair, SSL's current problems relate from a bunch of bad assumptions, not just one. For example the threat model is some made up thing out of a text book. See that new post for actual validated threat models; there is a world of difference between what those guys experienced, and were documented as experiencing, and the mythical Mallory or MITM that SSL claims to protect against. What then is the purpose of making this crypto so darn perfect, when the threat just ain't there?
(Yes, I know, it isn't there because we protected against it. Nope, sorry. CCs get pushed across the net in the clear in massive numbers every day. The reason the threat isn't present is because it's a dumb threat.)
Posted by Iang at December 28, 2004 04:18 PM