Re: [Sip] Review of draft-kupwade-sip-iba-00

[Eric Rescorla <ekr at networkresonance.com>]

At Wed, 27 Feb 2008 07:43:08 -0800 (PST),
Harsh Kupwade wrote:
> 
> [1  <text/plain; iso-8859-1 (8bit)>]
> Key escrow problem has been tackled using B. Lee et. al?s
> algorithm.  They propose a single Private key generator who would
> perform the identity check and multiple KPAs (Key Privacy
> Authorities) who would distribute the partial private key.  Lee, B.,
> Boyd, C., Dawson, E., Kim, K., Yang, J. and Yoo, S., "Secure Key
> Issuing in ID-based Cryptography," in Conferences in Research and
> Practice in Information Technology, 2004, vol. 32, pp. 69-74.

I don't see how this really solves the problem. Obviously,
at a large cost you can have multiple KGs such that all of
them need to cheat in order to recover the message content,
but that doesn't really solve the problem. As the paper
you cite indicates, lawful intercept can be performed by
subpoenaing all the KGs.

Now, I'm not saying that escrow is necessarily bad, but
that just that this doesn't remove it.

-Ekr


> Eric Rescorla <ekr at networkresonance.com> wrote:  At Wed, 27 Feb 2008 01:47:23 -0500,
> Hadriel Kaplan wrote:
> > 
> > Cool. So if I understand this right (and I probably don't),
> > ignoring rfc4474 identity and IBS for a moment and instead thinking
> > about SRTP and IBE: I could use IBE to encrypt the
> > security-descriptions attribute value using the intended target's
> > SIP URI as a key, and only someone owning that URI (and sharing the
> > same KG) or the KG itself could decrypt it to learn the sec-desc
> > cleartext to use?
> 
> Yeah. This is how Voltage's email system works. (Seriously,
> read the blog post I pointed at, whcih explains all this).
> But of course this doesn't work correctly with a bunch of
> retargeting scenarios. This is basically orthogonal to
> MIKEY RSA mdoe, except that instead of doing certificate
> retrieval you need to do parameter retrieval, and only
> once for the domain.
> 
> Another sort-of-weird feature here is that you can encrypt to
> someone who hasn't registered with the system, and then
> they can register *afterward*. That works with email but
> of course is too slow for VoIP.
> 
> 
> > -hadriel p.s. the KG would actually be a problem for IBE, wouldn't
> > it? I mean the KG can always decrypt it. (at which point they would
> > be the Key Generator Backdoor - aka, the KGB ;)
> 
> Yeah. This feature is generally referred to as "escrow" and is
> one of the reasons why people don't want to have a single 
> global KG.
> 
> -Ekr
> _______________________________________________
> Sip mailing list https://www.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP Protocol
> Use sip-implementors at cs.columbia.edu for questions on current sip
> Use sipping at ietf.org for new developments on the application of sip
> 
> 
>        
> ---------------------------------
> Looking for last minute shopping deals?  Find them fast with Yahoo! Search.
> [2  <text/html; iso-8859-1 (8bit)>]
> 
_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip