Newsgroups: sci.crypt
Path: msuinfo!uchinews!linac!uwm.edu!rpi!batcomputer!cornell!rochester!cantaloupe.srv.cs.cmu.edu!mnr
From: mnr+@cs.cmu.edu (Marc Ringuette)
Subject: Re: the trusted public-key distribution problem
Message-ID: <1992Feb14.014559.266282@cs.cmu.edu>
Date: Fri, 14 Feb 92 01:45:59 GMT
Organization: School of Computer Science, Carnegie Mellon
Nntp-Posting-Host: daisy.learning.cs.cmu.edu
Lines: 38

brnstnd@nyu.edu (Dan Bernstein) writes,
> Nor would there be any confusion if---as I've been emphasizing
> throughout this discussion---everyone made sure to transmit complete
> (name,address,key) tuples, rather than just the ambiguous names.

You may be missing something important, Dan.  Your suggestion is fine
for eavesdropping but fails really terribly if spoofing is possible
(which indeed it is!).

If I consistently intercept your mail and substitute my "almost Dan" public
key for yours every time you send mail ... and you fail to detect that the
rest of the world is dealing with you through a different public key ...  and
I decode and retranslate all messages going to you and from you ... then you
will lead your normal life, except when I choose to distrupt it.  This is
a really icky thing to have happen.

If you're using automated software, I can use an automated spoofer with
a reasonable chance of success.  I could even generate my "almost
Dan" public key so it starts and ends with the same digits yours does,
so visual inspection of your posts leaves you none the wiser.  

The crux of the problem is, if everybody in the world rendezvouses with
"shadow Dan" no one will know except the nasty interloper who gets to
have his way with you.

Intercepting _all_ of your mail may be less insidious than delivering
a spoofed public key to one person, or a small subset of your correspondents,
so you are less likely to detect it.

This isn't a problem in person:  how could I hope to place a transparent mask
over your face that lets me eavesdrop all the time, and occasionally talk for
you?  Electronically it's not far-fetched at all.  This is one huge reason
why key distribution mechanisms are important.

That said, I wish PEM weren't being delayed for a year or two because
certification hierarchies are so hard to get straight.


