idnits 2.17.1 

draft-hallambaker-mesh-trust-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack a Security Considerations section.

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The abstract seems to contain references ([1]), which it shouldn't. 
     Please replace those with straight textual mentions of the documents in
     question.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (January 18, 2019) is 1924 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  -- Looks like a reference, but probably isn't: '1' on line 1170

  -- Obsolete informational reference (is this intentional?): RFC 6962
     (Obsoleted by RFC 9162)


     Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 3 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                    P. Hallam-Baker
3	Internet-Draft                                          January 18, 2019
4	Intended status: Informational
5	Expires: July 22, 2019

7	               Mathematical Mesh Part IV: The Trust Mesh
8	                    draft-hallambaker-mesh-trust-00

10	Abstract

12	   This paper extends Shannon's concept of a 'work factor' as applied to
13	   evaluation of cryptographic algorithms to provide an objective
14	   measure of the practical security offered by a protocol or
15	   infrastructure design.  Considering the hypothetical work factor
16	   based on an informed estimate of the probable capabilities of an
17	   attacker with unknown resources provides a better indication of the
18	   relative strength of protocol designs than the computational work
19	   factor of the best-known attack.

21	   The social work factor is a measure of the trustworthiness of a
22	   credential issued in a PKI based on the cost of having obtained the
23	   credential through fraud at a certain point in time.  Use of the
24	   social work factor allows evaluation of Certificate Authority based
25	   trust models and peer to peer (Web of Trust) models to be evaluated
26	   in the same framework.  The analysis demonstrates that both
27	   approaches have limitations and that in certain applications, a
28	   blended model is superior to either by itself.

30	   The final section of the paper describes a proposal to realize this
31	   blended model using the Mathematical Mesh.

33	   This document is also available online at
34	   http://mathmesh.com/Documents/draft-hallambaker-mesh- trust.html [1]
35	   .

37	Status of This Memo

39	   This Internet-Draft is submitted in full conformance with the
40	   provisions of BCP 78 and BCP 79.

42	   Internet-Drafts are working documents of the Internet Engineering
43	   Task Force (IETF).  Note that other groups may also distribute
44	   working documents as Internet-Drafts.  The list of current Internet-
45	   Drafts is at https://datatracker.ietf.org/drafts/current/.

47	   Internet-Drafts are draft documents valid for a maximum of six months
48	   and may be updated, replaced, or obsoleted by other documents at any
49	   time.  It is inappropriate to use Internet-Drafts as reference
50	   material or to cite them other than as "work in progress."

52	   This Internet-Draft will expire on July 22, 2019.

54	Copyright Notice

56	   Copyright (c) 2019 IETF Trust and the persons identified as the
57	   document authors.  All rights reserved.

59	   This document is subject to BCP 78 and the IETF Trust's Legal
60	   Provisions Relating to IETF Documents
61	   (https://trustee.ietf.org/license-info) in effect on the date of
62	   publication of this document.  Please review these documents
63	   carefully, as they describe your rights and restrictions with respect
64	   to this document.  Code Components extracted from this document must
65	   include Simplified BSD License text as described in Section 4.e of
66	   the Trust Legal Provisions and are provided without warranty as
67	   described in the Simplified BSD License.

69	Table of Contents

71	   1.  Work Factor . . . . . . . . . . . . . . . . . . . . . . . . .   3
72	     1.1.  Computational Work Factor . . . . . . . . . . . . . . . .   3
73	     1.2.  Hypothetical Work Factor  . . . . . . . . . . . . . . . .   4
74	     1.3.  Known Unknowns  . . . . . . . . . . . . . . . . . . . . .   5
75	     1.4.  Defense in Depth  . . . . . . . . . . . . . . . . . . . .   6
76	     1.5.  Mutual Reinforcement  . . . . . . . . . . . . . . . . . .   7
77	     1.6.  Safety in Numbers . . . . . . . . . . . . . . . . . . . .   8
78	     1.7.  Cost Factor . . . . . . . . . . . . . . . . . . . . . . .  10
79	     1.8.  Social Work Factor  . . . . . . . . . . . . . . . . . . .  12
80	       1.8.1.  Related work  . . . . . . . . . . . . . . . . . . . .  14
81	   2.  The problem of trust  . . . . . . . . . . . . . . . . . . . .  14
82	     2.1.  Existing approaches . . . . . . . . . . . . . . . . . . .  15
83	       2.1.1.  Trust After First Use (TAFU)  . . . . . . . . . . . .  15
84	       2.1.2.  Direct Trust  . . . . . . . . . . . . . . . . . . . .  16
85	       2.1.3.  Certificate Authority . . . . . . . . . . . . . . . .  16
86	       2.1.4.  Web of Trust  . . . . . . . . . . . . . . . . . . . .  17
87	       2.1.5.  Chained notary  . . . . . . . . . . . . . . . . . . .  18
88	       2.1.6.  A blended approach  . . . . . . . . . . . . . . . . .  19
89	   3.  The Mesh of Trust . . . . . . . . . . . . . . . . . . . . . .  21
90	     3.1.  Master Profile  . . . . . . . . . . . . . . . . . . . . .  21
91	     3.2.  Uniform Data Fingerprints . . . . . . . . . . . . . . . .  21
92	     3.3.  Strong Internet Names . . . . . . . . . . . . . . . . . .  22
93	     3.4.  Trust notary  . . . . . . . . . . . . . . . . . . . . . .  23
94	     3.5.  Endorsement . . . . . . . . . . . . . . . . . . . . . . .  23
95	     3.6.  Evaluating trust  . . . . . . . . . . . . . . . . . . . .  23
96	   4.  Conclusions . . . . . . . . . . . . . . . . . . . . . . . . .  24
97	   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  24
98	     5.1.  Informative References  . . . . . . . . . . . . . . . . .  24
99	     5.2.  URIs  . . . . . . . . . . . . . . . . . . . . . . . . . .  25
100	   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  25

102	1.  Work Factor

104	   Recent events have highlighted both the need for open standards-based
105	   security protocols and the possibility that the design of such
106	   protocols may have been sabotaged [Schneier2013] . We thus face two
107	   important and difficult challenges, first to design an Internet
108	   security infrastructure that offers practical security against the
109	   class of attacks revealed, and secondly, to convince potential users
110	   that the proposed new infrastructure has not been similarly
111	   sabotaged.

113	   The measure of a security of a system is the cost and difficulty of
114	   making a successful attack.  The security of a safe is measured by
115	   the length time it is expected to resist attack using a specified set
116	   of techniques.  The security of a cryptographic algorithm against a
117	   known attack is measured by the computational cost of the attack.

119	   This paper extends Shannon's concept of a 'work factor' [Shannon1949]
120	   to provide an objective measure of the security a protocol or
121	   infrastructure offers against other forms of attack.

123	1.1.  Computational Work Factor

125	   The term 'Computational Work Factor' is used to refer to Shannon's
126	   original concept.

128	   One of Shannon's key insights was that the work factor of a
129	   cryptographic algorithm could be exponential.  Adding a single bit to
130	   the key size of an ideal symmetric algorithm presents only a modest
131	   increase in computational effort for the defender but doubles the
132	   work factor for the attacker.

134	   More precisely, the difficulty of breaking a cryptographic algorithm
135	   is generally measured by the work-factor ratio.  If the cost of
136	   encrypting a block with 56-bit DES is x, the worst case cost of
137	   recovering the key through a brute force attack is 256x.  The
138	   security of DES has changed over time because x has fallen
139	   exponentially.

141	   While the work factor is traditionally measured in terms of the
142	   number of operations, many cryptanalytic techniques permit memory
143	   used to be traded for computational complexity.  An attack requiring
144	   264 bytes of memory that reduces the number of operations required to
145	   break a 128 bit cipher to 264 is a rather lower concern than one
146	   which reduces the number of operations to 280.  The term 'cost' is
147	   used to gloss over such distinctions.

149	   The Computational Work Factor ratio WF-C (A) of a cryptographic
150	   algorithm A, is the cost of the best-known attack divided by the cost
151	   of the algorithm itself.

153	1.2.  Hypothetical Work Factor

155	   Modern cryptographic algorithms use keys of 128 bits or more and
156	   present a work factor ratio of 2128 against brute force attack.  This
157	   work factor is at least 272 times higher than DES and comfortably
158	   higher than the work factor of 280 operations that is generally
159	   believed to be the practical limit to current attacks.

161	   Though Moore's law has delivered exponential improvements in
162	   computing performance over the past four decades, this has been
163	   achieved through continual reductions in the minimum feature size of
164	   VLSI circuits.  As the minimum feature size rapidly approaches the
165	   size of individual atoms, this mechanism has already begun to stall
166	   [Intel2018] .

168	   While an exceptionally well-resourced attacker may gain performance
169	   advances through use of massive parallelism, faster clock rates made
170	   possible by operating at super-low temperatures and custom designed
171	   circuits, the return on such approaches is incremental rather than
172	   exponential.

174	   Performance improvements may allow an attacker to break systems with
175	   a work factor several orders of magnitude greater than the public
176	   state of the art.  But an advance in cryptanalysis might permit a
177	   potentially more significant reduction in the work factor.

179	   The primary consideration in the choice of a cryptographic algorithm
180	   therefore is not the known computational work factor as measured
181	   according to the best publicly known attack but the confidence that
182	   the computational work factor of the best attack that might be known
183	   to the attacker.

185	   While the exact capabilities of the adversary are unknown, a group of
186	   informed experts may arrive at a conservative estimate of their
187	   likely capabilities.  In particular, it is the capabilities of
188	   nation-state actors that generally give rise to greatest concern in
189	   security protocol design.  In this paper we refer to this set of
190	   actors as nation-state class adversaries in recognition of the fact
191	   that certain technology companies posses computing capabilities that
192	   rival if not exceed those of the largest state actors and those
193	   capabilities could at least in theory be co-opted for other purposes
194	   in certain circumstances.

196	   The probability that a nation-state class has discovered an attack
197	   against AES-128 with a work factor ratio of 2120 might be considered
198	   relatively high while the probability that an attack with a work
199	   factor ratio of less than 264 is very low.

201	   We define the hypothetical work factor function WF-H (A, p) as
202	   follows: If WF is a work factor ratio and p is an informed estimate
203	   of the probability that an adversary has developed an attack with a
204	   work factor ratio against algorithm A of WF or less then WF-H (A, p)
205	   = WF.

207	   Since the best-known public attack is known to the attacker, WF-H (A,
208	   1) = CWF (A)

210	   The inverse function WF-H' (A, WF) returns the estimated probability
211	   that the work factor of algorithm A is at least WF.

213	   The hypothetical work factor and its inverse may be used to compare
214	   the relative strengths of protocol designs.  Given designs A and B,
215	   we can state that B is an improvement on A if WF-H (A,p) > WF-H (B,p)
216	   for all p.

218	   When considering a protocol or infrastructure design we can thus
219	   improve a protocol by either:

221	   o  Increasing WF-H (A,p) for some p, or

223	   o  Decreasing WF-H '(A,WF)

225	1.3.  Known Unknowns

227	   Unlike the computational work factor, the hypothetical work factor
228	   does not provide an objective measure of the security offered by a
229	   design.  The purpose of the hypothetical work factor is to allow the
230	   protocol designer to compare the security offered by different design
231	   choices.

233	   The task that the security engineer faces is to secure the system
234	   from all attacks whether the attacks themselves are known or unknown.
235	   In the current case it is known that an attacker is capable of
236	   breaking at least some of the cryptographic algorithms in use.  But
237	   not which algorithms are affected or the nature of the attack(s).

239	   Unlike the computational work factor, the hypothetical work factor
240	   does not deliver an academically rigorous, publication and citation
241	   worthy measure of the strength of a design.  That is not its purpose.
242	   the purpose of the hypothetical work factor is to assist the protocol
243	   designer in designing protocols.

245	   Design of security protocols has always required the designer to
246	   consider attackers whose capabilities are not currently known and
247	   thus involved a considerable degree of informed opinion and
248	   guesswork.  Whether correctly or not, the decision to reject changes
249	   to the DNSSEC protocol to enable deployment in 2002 rested in part on
250	   a statement by a Security Area Director that a proposed change gave
251	   him 'a bad feeling in his gut'.  The hypothetical work factor permits
252	   the security designer to model to quantify such intestinally based
253	   assumptions and model the effect on the security of the resulting
254	   design.

256	   Security is a property of systems rather than individual components.
257	   While it is quite possible that there are no royal roads to
258	   cryptanalysis and cryptanalysis of algorithms such as AES 128 is
259	   infeasible even for the nation state class adversaries, such
260	   adversaries are not limited to use of cryptanalytic attacks.

262	   Despite the rise of organized cyber-crime, many financial systems
263	   still employ weak cryptographic systems that are known to be
264	   vulnerable to cryptanalytic attacks that are well within the
265	   capabilities of the attackers.  But fraud based on such techniques
266	   remains vanishingly rare as it is much easier for the attackers to
267	   persuade bank customers to simply give their access credentials to
268	   the attacker.

270	   Even if a nation-state class attacker has a factoring attack which
271	   renders an attack on RSA-2048 feasible, it is almost certainly easier
272	   for a nation-state class attacker to compromise a system using
273	   RSA-2048 in other ways.  For example, persuading the target of the
274	   surveillance to use cryptographic devices with a random number
275	   generator that leaks a crib for the attacker.  Analyzing the second
276	   form of attack requires a different type of analysis which is
277	   addressed in the following section on social work factor.

279	1.4.  Defense in Depth

281	   The motivation behind introducing the concept of the hypothetical
282	   work factor is a long experience of seeing attempts to make security
283	   protocols more robust being deflected by recourse to specious
284	   arguments based on the computational work factor.

286	   For example, consider the case in which a choice between a single
287	   security control and a defense in depth strategy is being considered:

289	   o  Option A: Uses algorithm X for protection.

291	   o  Option B: Uses a combination of algorithm X and algorithm Y for
292	      protection such that the attacker must defeat both to break the
293	      system and algorithms based on different cryptographic principles
294	      are chosen so as to minimize the risk of a common failure mode.

296	   If the computational work factor for both algorithms X and Y is 2128,
297	   both options present the same work factor ratio.  Although Option B
298	   offers twice the security, it also requires twice the work.

300	   The argument that normally wins is that both options present the same
301	   computational work factor ratio of 2128, Option A is simpler and
302	   therefore Option A should be chosen.  This despite the obvious fact
303	   that only Option B offers defense in depth.

305	   If we consider the adversary of being capable of performing a work
306	   factor ratio of 280 and the probability the attacker has discovered
307	   an attack capable of breaking algorithms X and Y to be 10% in each
308	   case, the probability that the attacker can break Option A is 10%
309	   while the probability that an attack on Option B is only 1%, a
310	   significant improvement.

312	   While Option B clearly offers a significant potential improvement in
313	   security, this improvement is only fully realized if the
314	   probabilities of a feasible attack are independent.

316	1.5.  Mutual Reinforcement

318	   The defense in depth approach affords a significant improvement in
319	   security but an improvement that is incremental rather than
320	   exponential in character.  With mutual reinforcement we design the
321	   mechanism such that in addition to requiring the attacker to break
322	   each of the component algorithms, the difficulty of the attacks is
323	   increased.

325	   For example, consider the use of a Deterministic Random Number
326	   Generator R(s,n) which returns a sequence of values R(s,1), R(s,2)?
327	   from an initial seed s.

329	   Two major concerns in the design of such generators are the
330	   possibility of bias and that the seed value be somehow leaked through
331	   a side channel.

333	   Both concerns are mitigated if instead of using the output of one
334	   generator directly, two independent random number generators with
335	   distinct seeds are used.

337	   For example, consider the use of the value R1(s1,n) XOR R2(s2,n)
338	   where R1(s,n) and R2(s,n) are different random number generation
339	   functions and s1, s2 are distinct seeds.

341	   The XOR function has the property of preserving randomness so that
342	   the output is guaranteed to be at least as random as either of the
343	   generators from which it is built (provided that there is not a
344	   common failure mode).  Further, recovery of either random seed is at
345	   least as hard as using the corresponding generator on its own.  Thus,
346	   the Hypothetical work factor for the combined system is improved to
347	   at least the same extent as in the defense in depth case.

349	   But any attempt to break either generator must now face the
350	   additional complexity introduced by the output being masked with the
351	   unknown output of the other.  An attacker cannot cryptanalyze the two
352	   generator functions independently.  If the two generators and the
353	   seeds are genuinely independent, the combined hypothetical work
354	   factor is the product of the hypothetical work factors from which it
355	   is built.

357	   While implementing two independent generators and seeds represents a
358	   significant increase in cost for the implementer, a similar
359	   exponential leverage might be realized with negligible additional
360	   complexity through use of a cryptographic digest of the generator
361	   output to produce the masking value.

363	1.6.  Safety in Numbers

365	   In a traditional security analysis, the question of concern is
366	   whether a cryptanalytic attack is feasible or not.  When considering
367	   an indiscriminate intercept capability as in a nation-state class
368	   attack, the concern is not just whether an individual communication
369	   might be compromised but the number of communications that may be
370	   compromised for a given amount of effort.

372	   'Perfect' Forward Secrecy is an optional feature supported in IPSec
373	   and TLS.  In 2008, implementations of TLS/1.2 [RFC6246] purported to
374	   offer a choice between:

376	   Direct key exchange with a work factor dependent on the difficulty of
377	   breaking RSA 2048

379	   Direct key exchange followed by a perfect forward secrecy exchange
380	   with a work factor dependent on the difficulty of breaking both RSA
381	   2048 and DH 1024.

383	   Using the computational work factor alone suggests that the second
384	   scheme has little advantage over the first since the computational
385	   work factor of Diffie Hellman using the best-known techniques 280
386	   while the computational work factor for RSA 2048 is 2112.  Use of the
387	   perfect forward secrecy exchange has a significant impact on server
388	   performance but does not increase the difficulty of cryptanalysis.

390	   Use of perfect forward secrecy with a combination of RSA and Diffie
391	   Hellman does not provide a significant improvement in the
392	   hypothetical work factor either if individual messages are
393	   considered.  The RSA and Diffie Hellman systems are closely related
394	   and so an attacker that can break RSA 2048 can almost certainly break
395	   RSA 1024.  Moreover, computational work factor for DH 1024 is only
396	   280 and thus feasibly within the reach of a well-funded and
397	   determined attacker.

399	   According to the analysis informally applied during design, use of
400	   perfect forward secrecy does provide an important security benefit
401	   when multiple messages are considered.  While a sufficiently funded
402	   and determined attacker could conceivably break tens, hundreds or
403	   even thousands of DH 1024 keys a year, it is rather less likely that
404	   an attacker could break millions a year.  The OCSP servers operated
405	   by Comodo CA receive over 2 billion hits a day and this represents
406	   only a fraction of the number of uses of TLS on the Internet.  Use of
407	   perfect forward secrecy does not prevent an attacker from decrypting
408	   any particular message but raises the cost of indiscriminate
409	   intercept and decryption.

411	   Unfortunately, this analysis is wrong because the TLS key exchange
412	   does not achieve a work factor dependent on the difficulty of
413	   breaking both RSA 2048 and DH 1024.  The pre-master secret
414	   established in the initial RSA 2048 exchange is only used to
415	   authenticate the key exchange process itself.  The session keys used
416	   to encrypt content are derived from the weaker ephemeral key
417	   exchange, the parameters of which are exchanged in plaintext.  Due to
418	   this defect in the design of the protocol, the Work Factor of the
419	   protocol is the work factor of DH1024 alone.

421	   Nor does the use of Diffie Hellman in this fashion provide security
422	   when multiple messages are exchanged.  The Logjam attack [Adrian2015]
423	   exploits the fact that the difficulty of breaking the discrete
424	   logarithm involves four major steps, the first three of which are the
425	   most computationally intensive and only depend on the shared group
426	   parameters.  The cost of breaking a hundred Diffie Hellman public
427	   keys is not a hundred times the cost of breaking a single key, there
428	   is almost no difference.

430	   Work factor analysis exposes these flaws in the design of the
431	   TLS/1.2.  Since the session keys used to encrypt traffic do not
432	   depend on knowing the secret established in the RSA2048 exchange, the
433	   work factor of the protocol is the lesser of 280 and 2112.

435	   A simple means of ensuring that the work factor of a protocol is not
436	   reduced by a fresh key exchange is to use a one-way function such as
437	   a cryptographic digest or a key exchange to combine the output of the
438	   prior exchange with its successor.  This principle is employed in the
439	   double ratchet algorithm [Ratchet] used in the Signal protocol.  In
440	   the Mesh, the HKDF Key Derivation function [RFC5869] is frequently
441	   used for the same purpose.

443	   The work factor downgrade issue was addressed in TLS/1.3 [RFC8446]
444	   albeit in a less direct fashion by encrypting the ephemeral key
445	   exchange.

447	1.7.  Cost Factor

449	   As previously discussed, cryptanalysis is not the only tool available
450	   to an attacker.  Faced with a robust cryptographic defense, Internet
451	   criminals have employed 'social engineering' instead.  A nation-state
452	   class attacker may use any and every tool at their disposal including
453	   tools that are unique to government backed adversaries such as the
454	   threat of legal sanctions against trusted intermediaries.

456	   Although attackers can and will use every tool at their disposal,
457	   each tool carries a cost and some tools require considerable advance
458	   planning to use.  It is conceivable that the AES standard published
459	   by NIST contains a backdoor that somehow escaped the extensive peer
460	   review.  But any such effort would have had to have begun well in
461	   advance of 1998 when the Rijndael cipher was first published.

463	   Nation-state class actors frequently rely for security on the same
464	   infrastructures that they are attempting to attack.  Thus, the
465	   introduction of vulnerabilities that might also be exploited by the
466	   opposition incurs a cost to both.  This concern is recognized in the
467	   NSA 'NOBUS' doctrine: Nobody but us.  To introduce a vulnerability in
468	   a random number generator that can only be exploited by a party that
469	   knows the necessary private key is acceptable.  But introducing a
470	   vulnerability that depends on the use of an unpublished cryptanalytic
471	   technique is not because that same technique might be discovered by
472	   the opposition.

474	   Subversion of cryptographic apparatus such as Hardware Security
475	   Modules (HSMs) and SSL accelerators faces similar constraints.  HSMs
476	   may be compromised by an adversary but the compromise must have taken
477	   place before the device was manufactured or serviced.

479	   Just as computational attacks are limited by the cryptanalytic
480	   techniques known to and the computational resources available to the
481	   attacker, social attacks are limited by the cost of the attack and
482	   the capacity of the attacker.

484	   The Cost Factor C(t) is an estimate of the cost of performing an
485	   attack on or before a particular date in time (t).

487	   For the sake of simplicity, currency units are used under the
488	   assumption that all the resources required are fungible and that all
489	   attackers face the same costs.  But such assumptions may need to be
490	   reconsidered when there is a range of attackers with very different
491	   costs and capabilities.  A hacktivist group could not conceivably
492	   amass the computational and covert technical resources available to
493	   the NSA but such a group could in certain circumstances conceivably
494	   organize a protest with a million or more participants while the
495	   number of NSA employees is believed to still be somewhat fewer.

497	   The computational and hypothetical work factors are compared against
498	   estimates of the computational resources of the attacker.  An attack
499	   is considered to be infeasible if that available computational
500	   resources do not allow the attack to be performed within a useful
501	   period of time.

503	   The cost factor is likewise compared against an incentive estimate,
504	   I(t) which is also time based.

506	   o  An attack is considered to be productive for an attacker if there
507	      was a time t for which I(t) > C(t).

509	   o  An attack is considered to be unproductive if there is no time at
510	      which it was productive for that attacker.

512	   Unlike Cost Factor for which a lower bound based on the lowest cost
513	   and highest capacity may be usefully applied to all attackers,
514	   differences in the incentive estimate between attackers are likely to
515	   be very significant.  Almost every government has the means to
516	   perform financial fraud on a vast scale but only rarely does a
517	   government have the incentive.  When governments do engage in
518	   activities such as counterfeiting banknotes this has been done for
519	   motives beyond mere peculation.

521	   While government actors do not respond to the same incentives as
522	   Internet criminals, governments fund espionage activities in the
523	   expectation of a return on their investment.  A government agency
524	   director who does not produce the desired returns is likely to be
525	   replaced.

527	   For example, when the viability of SSL and the Web PKI for protecting
528	   Internet payments was considered in the mid-1990s, the key question
529	   was whether the full cost of obtaining a fraudulently issued
530	   certificate would exceed the expected financial return where the full
531	   cost is understood to include the cost of registering a bogus
532	   corporation, submitting the documents and all the other activities
533	   that would be required if a sustainable model for payments fraud was
534	   to be established.

536	   For an attack to be attractive to an attacker it is not just
537	   necessary for it to be productive, the time between the initial
538	   investment and the reward and the likelihood of success are also
539	   important factors.  An attack that requires several years of advance
540	   planning is much less attractive than an attack which returns an
541	   immediate profit.

543	   An attack may be made less attractive by

545	   o  Increasing the cost

547	   o  Reducing the incentive

549	   o  Reducing the expected gain

551	   o  Reducing the probability that the incentive will be realized

553	   o  Increasing the time between the initial investment and the return.

555	   Most real-world security infrastructures are based on more than one
556	   of these approaches.  The WebPKI is designed to increase the cost of
557	   attack by introducing validation requirements and reduce the expected
558	   gain through its revocation infrastructure.

560	1.8.  Social Work Factor

562	   In the cost factor analysis, it is assumed that all costs are
563	   fungible, and the attack capacity of the attacker is only limited by
564	   their financial resources.  Some costs are not fungible however, in
565	   particular inducing a large number of people to accept a forgery
566	   without the effort being noticed requires much more than a limitless
567	   supply of funds.

569	   In a computational attack an operation will at worst fail to deliver
570	   success.  There is no penalty for failure beyond having failed to
571	   succeed.  When attempting to perpetuate a fraud on the general
572	   public, every attempt carries a risk of exposure of the entire
573	   scheme.  When attempting to perform any covert activity, every
574	   additional person who is indoctrinated into the conspiracy increases
575	   the chance of exposure.

577	   The totalitarian state envisioned by George Orwell in 1984 was only
578	   plausible because each and every citizen is coerced to act as a party
579	   to the conspiracy.  The erasure and replacement of the past was
580	   possible because the risk of exposure was nil.

582	   In 2011, I expressed concern to a retired senior member of the NSA
583	   staff that the number of contractors being hired to perform cyber-
584	   sabotage operations represented a security risk and might be creating
585	   a powerful constituency with an interest in the aggressive
586	   militarization of cyberspace rather than preparing for its defense.
587	   Subsequent disclosures by Robert Snowden have validated the
588	   disclosure risk aspect of these concerns.  Empirically, the NSA, an
589	   organization charged with protecting the secrecy of government
590	   documents, was unable to maintain the secrecy of their most important
591	   secrets when the size of the conspiracy reached a few ten thousand
592	   people.

594	   The community of commercial practitioners of cryptographic
595	   information security is small in size but encompasses many
596	   nationalities.  Many members of the community are bound by
597	   ideological commitments to protecting personal privacy as an
598	   unqualified moral objective.

600	   Introducing a backdoor into a HSM, application or operating system
601	   platform requires that every person with access to the platform
602	   source or who might be called in to audit the code be a party to the
603	   conspiracy.  Tapping the fiber optic cables that support the Internet
604	   backbone requires only a small work crew and digging equipment.
605	   Maintaining a covert backdoor in a major operating system platform
606	   would require hundreds if not thousands of engineers to participate
607	   in the conspiracy.

609	   The Social Work Factor SWF(t) is a measure of the cost of
610	   establishing a fraud in a conspiracy starting at date t.  The cost is
611	   measured in the number of actions that the party perpetrating the
612	   fraud must perform that carry a risk of exposure.

614	   In general, the Social Work Factor will increase over time.
615	   Perpetrating a fraud claiming that the Roman emperor Nero never
616	   existed today would require that millions of printed histories be
617	   erased and rewritten, every person who has ever taught or taken a
618	   lesson in Roman history would have to participate in the fraud.  The
619	   Social Work Factor would be clearly prohibitive.

621	   The Social Work Factor in the immediate aftermath of Nero's
622	   assassination in 68 would have been considerably lower.  While the
623	   emperor Nero was obviously not erased from history, this did happen
624	   to Akhenaten, an Egyptian pharaoh of the 18th dynasty whose monuments
625	   were dismantled, statues destroyed, and his name erased from the
626	   lists of kings.

628	1.8.1.  Related work

630	   It has not escaped the notice of the author that the social work
631	   factor might be applied as a general metric for assessing the
632	   viability of a conspiracy hypothesis.

634	   Applying social work factor analysis to the moon landing conspiracy
635	   theory we note that almost all of the tens of thousands of NASA
636	   employees who worked on the Apollo project would have had to be a
637	   part of the conspiracy and so would an even larger number of people
638	   who worked for NASA contractors.  The cost of perpetrating the hoax
639	   would have clearly exceeded any imaginable benefit while the risk of
640	   the hoax being exposed would have been catastrophic.

642	2.  The problem of trust

644	   Traditional (symmetric key) cryptography allows two parties to
645	   communicate securely provided they both know a particular piece of
646	   information known as a key that must be known to encrypt or decrypt
647	   the content.  Public Key cryptography proposed by Diffie and Hellman
648	   [Diffie76] provides much greater flexibility by using separate keys
649	   for separate roles such that it is possible to do one without being
650	   able to do the other.  In a public key system, an encryption key
651	   allows information to be encrypted but not to be decrypted.  That
652	   role can only be performed using the corresponding decryption key.

654	   The Mathematical Mesh recryption services further extend the
655	   capabilities of traditional public key infrastructures by further
656	   partitioning of the roles associated with the private key.  In the
657	   Mesh, this capability is referred to as 'recryption' as it was
658	   originally conceived of as being a form of Proxy Re-encryption as
659	   described by Blaze et. al. but it might equally well be considered as
660	   realizing distributed key generation as described by Pedersen.  A
661	   decryption key is split into two or more parts such that both parts
662	   must be involved to complete a private key operation.  These parts
663	   are then distributed to separate parties, thus achieving
664	   cryptographic enforcement of a separation of duties.

666	   Public key cryptography allows many (but certainly not all)
667	   information security concerns to be reduced to management of
668	   cryptographic keys.  If Alice knows the Bob's encryption key, she can
669	   send Bob an encrypted message that only he can read.  If Bob knows
670	   Alice's signature key, Bob can verify that a digital signature on the
671	   message really was created by Alice.

673	   A Public Key Infrastructure (PKI) is a combination of technologies,
674	   practices and services that support the management of public key
675	   pairs.  In particular, if Alice does not know Bob's public key, any
676	   infrastructure that is designed to provide her with this information
677	   may be regarded as a form of PKI.

679	   The big challenge faced in the design, deployment of operation of a
680	   PKI is that while Alice and Bob can communicate with perfect secrecy
681	   if they use each other's actual public keys, they will have worse
682	   than no security if an attacker can persuade them to use keys they
683	   control instead.  One of the chief concerns in PKI therefore is to
684	   allow users to assess the level of risk they face, a quality known as
685	   trust.

687	2.1.  Existing approaches

689	   Few areas of information security have engaged so much passionate
690	   debate or diverse proposals as PKI architecture.  Yet despite the
691	   intensity of this argument the state of deployment of PKI in the
692	   Internet has remained almost unchanged.

694	   TLS and SSH, the only Internet security protocols that have
695	   approached ubiquity both operate at the transport layer.  The use of
696	   IPSEC is largely limited to providing VPN access.  DNSSEC remains a
697	   work in progress.  Use of end-to-end secure email messaging is
698	   negligible and shows no sign of improvement as long as competition
699	   between S/MIME and OpenPGP remains at a stalemate in which one has a
700	   monopoly on mindshare and the other a monopoly on deployment.

702	2.1.1.  Trust After First Use (TAFU)

704	   Trust After First Use is a simple but often effective form of PKI.
705	   Instead of trying to verify each other's public key the first time
706	   they attempt to communicate, the parties record the public key
707	   credentials presented in their first interaction and check that the
708	   same credentials are presented in subsequent transactions.  While
709	   this approach does not absolutely guarantee that 'Alice' is really
710	   talking to 'Bob', as the conversation continues over hours, months or
711	   even years, they are both assured that they are talking to the same
712	   person.

714	2.1.2.  Direct Trust

716	   In the direct trust model, credentials are exchanged in person.  The
717	   exchange may be of the actual public key itself or by means of a
718	   'fingerprint' which is simply a means of formatting a cryptographic
719	   digest of the key to the user.

721	   Use of direct trust is robust and avoids the need to introduce any
722	   form of trusted third party.  It is also limited for the obvious
723	   reason that it is not always possible for users to meet in person.
724	   For this reason, protocols that attempt to offer a direct trust model
725	   often turn out to be being used in trust-after-first-use mode in
726	   practice when the behavior of users is examined.

728	2.1.3.  Certificate Authority

730	   The archetype of what is generally considered to be 'PKI' was
731	   introduced in Kohnfelder's 1978 Msc. Thesis [Kohnfelder78] . A
732	   Certificate Authority (CA)whose signature key is known to all the
733	   participants issues certificates binding the user's public key to
734	   their name and/or contact address(es).

736	   This approach forms the basis of almost every widely deployed PKI
737	   including the EMV PKI that support smart card payments, the CableLabs
738	   PKI that supports the use of set top boxes to access copyright
739	   protected content and the WebPKI mentioned earlier that supports the
740	   use of TLS in online commerce.

742	   One area in which the CA model has not met with widespread success is
743	   the provision of end-to-end secure email described in the original
744	   paper.  Despite the fact that S/MIME secure email has been supported
745	   by practically every major email client for over 20 years, only a
746	   small number of users are aware that email encryption is supported
747	   and even fewer user it on a regular basis.

749	   One of the reasons for this lack of uptake is the lack of uptake
750	   itself.  Until a critical mass of users is established, the network
751	   effect presents as the chicken and egg problem.  Another reason for
752	   the failure is the sheer inconvenience use of S/MIME presents to the
753	   user.  Obtaining, installing and maintaining certificates requires
754	   significant user effort and knowledge.  But even if these obstacles
755	   are addressed (as the Mesh attempts to do), as far as the open
756	   Internet is concerned, S/MIME provides little or no benefit over a
757	   direct trust model because there is no equivalent of the WebPKI for
758	   email.

760	   Most CAs that operate WebPKI services also offer S/MIME PKI services,
761	   but these are seldom used except by enterprises and government
762	   agencies where certificates are usually issued for internal use only.

764	   One of the chief difficulties in establishing a MailPKI analogous to
765	   the WebPKI is the difficulty of establishing a set of validation
766	   requirements that are cost effective to users and present a
767	   meaningful social work factor to attackers.

769	   When VeriSign began operating the first Internet CA, two classes of
770	   email certificate were offered that have since become a de facto
771	   industry standard:

773	   Class 1:  The CA verified that the subject applying for the
774	      certificate could read email sent to the address specified in the
775	      certificate.

777	   Class 2:  The requirements of class 1 plus the requirement that the
778	      certificate be issued through a Registration Authority that had
779	      been separately determined to meet the considerably more stringent
780	      validation requirements for organizations specified in class 3 and
781	      in particular, demonstrated ownership of the corresponding domain
782	      name.

784	   Class 2 certificates were designed to be issued by organizations to
785	   their employees and arguably present a more than adequate social work
786	   factor to prevent most forms of attack.  S/MIME certificates are in
787	   daily use to secure very sensitive communications relating to very
788	   high value transactions.  But this represents a niche application of
789	   what was intended to be a ubiquitous infrastructure that would
790	   eventually secure every email communication.

792	   The only type of certificate that the typical Internet user can
793	   obtain is class 1 which at best offers a small improvement on social
794	   work factor over Trust After First Use.

796	2.1.4.  Web of Trust

798	   The concept of the Web of Trust was introduced by Zimmerman with the
799	   launch of PGP.  It represents the antithesis of the hierarchical CA
800	   model then being proposed for the Privacy Enhance Mail scheme being
801	   considered by the IETF at the time.  A core objection to this model
802	   was the fact that users could only communicate securely by obtaining
803	   a certificate from a CA.  The goal of PGP was to democratize the
804	   process by making every user a trust provider.

806	   Like S/MIME, OpenPGP protocol has achieved some measure of success
807	   but has fallen far short of its original goal of becoming ubiquitous
808	   and almost none of the users have participated in the Web of Trust.

810	   One of the chief technical limitations of the Web of Trust is that
811	   trust degrades over distance.  An introduction from a friend of a
812	   friend has less value than one from a friend.  As the number of users
813	   gets larger, the chains of trust get longer, and the trustworthiness
814	   of the link becomes smaller.

816	   Another limitation is that as is fitting for a concept launched at
817	   the high tide of postmodernism, the trust provided is inherently
818	   relative.  Every user has a different view of the Web of Trust and
819	   thus a different degree of trust in the other users.  This makes it
820	   impossible for a commercial service to offer to navigate the Web of
821	   Trust on a user's behalf.

823	2.1.5.  Chained notary

825	   The rise of BitCoin [Bitcoin] and the blockchain technology on which
826	   it is based have given rise to numerous proposals that make use of a
827	   tamper-evident notary as either the basis for a new PKI (e.g.
828	   NameCoin [Namecoin] ) or to provide additional audit controls for an
829	   existing PKI (e.g.  Certificate Transparency [RFC6962] ).

831	   The principle of making a digital notary service tamper-evident by
832	   means of combining each output of the notary with the input of its
833	   successor using a cryptographic digest was proposed in 1991 by Haber
834	   and Stornetta [Haber91] . Every output of the notary depends on every
835	   one of the previous inputs.  Thus, any attempt to modify an input
836	   will cause every subsequent output to be invalidated.

838	   Notaries operating according to these principles can quickly achieve
839	   prohibitively high social work factors by simply signing their output
840	   values at regular intervals and publishing a record of the signed
841	   values.  Any attempt by the notary to tamper with the log will
842	   produce a non-repudiable proof of the defection.  Thus once an input
843	   value is enrolled in a chained notary, the social work factor for
844	   modifying that input subsequent to that becomes the same as the
845	   social work factor for subverting the notary and every party that has
846	   a record of the signed outputs of that notary.

848	   Enrolling the signed outputs of one notary as an input to another
849	   independently operated notary establishes a circumstance in which it
850	   is not possible for one notary to defect unless the other does as
851	   well.  Applying the same principle to a collection of notaries
852	   establishes a circumstance in which it is not possible for any notary
853	   to defect without that defection becoming evident unless every other
854	   notary also defects.  If such infrastructures are operated in
855	   different countries by a variety of reputable notaries, the social
856	   work factor of modifying an input after it is enrolled may be
857	   considered as to rapidly approach infinity.

859	   One corollary of this effect is that just as there is only one global
860	   postal system, one telephone system and one Internet, convergence of
861	   the chained notary infrastructure is also inevitable.  Users seeking
862	   the highest possible degree of tamper evidence will seek out notaries
863	   that cross notarize with the widest and most diverse range of other
864	   notaries.  I propose a name for this emergent infrastructure, the
865	   Internotary.

867	   According to the image presented in the popular press, it is the
868	   minting of new cryptocurrency that provides stability to the
869	   distributed leger at the heart of BitCoin, Etherium and their many
870	   imitators.  The fact that notaries that do not require proof of work,
871	   proof of stake or any other form of seigniorage offer the same social
872	   work factor (effectively infinite) as those that do demonstrates that
873	   it is not necessary to consume nation-state level quantities of
874	   electricity to operate such infrastructures.

876	   The attraction of employing such notaries in a PKI system is that the
877	   social work factor to forge a credential prior to a date that has
878	   already been notarized as past is infinite.  It is obvious that
879	   almost none of the thousands of OpenPGP keys registered with the key
880	   server infrastructure for 'Barack Obama' are genuine and so all the
881	   registered keys are untrustworthy.  But if it was known that one
882	   particular key had been registered in the 1980s, before Obama had
883	   become a political leader, that particular key would be considerably
884	   more trustworthy than the rest.

886	   The use of chained notaries may be viewed as providing a distributed
887	   form of Trust After First Use. The first use event in this case is
888	   the enrollment of the event in the notary.  Instead of Alice having
889	   to engage in separate first use events with Bob, Carol, Doug and
890	   every other user she interacts with, a single first use event with
891	   the internotary supports all her existing and future contacts.

893	2.1.6.  A blended approach

895	   As we have seen, different PKI architectures have emerged to serve
896	   different communities of use by offering different forms of trust.
897	   The trust provided by the OpenPGP and S/MIME PKIs to the communities
898	   they serve is distinct.  The S/MIME PKI does not provide a useful
899	   means of establishing a trusted relationship in a personal capacity.
900	   The OpenPGP PKI is not appropriate for establishing a trust
901	   relationship in an enterprise capacity.  Yet despite this obvious
902	   difference in capabilities, there has been no convergence between
903	   these competing approaches in the past two decades.

905	   The only convergence in approach that has developed over this period
906	   is within the applications that rely on PKI.  Most SSH clients and
907	   servers make provision for use of CA issued certificates for
908	   authentication.  Most email clients may be configured to support
909	   OpenPGP in addition to S/MIME.

911	   While offering the choice of CA issued, direct trust or Web of Trust
912	   credentials is better than insisting on the use of the one, true PKI,
913	   this approach is less powerful than a blended approach allowing the
914	   user to make use of all of them.

916	   In the blended approach, every user is a trust provider and can
917	   provide endorsements to other user and some (but not necessarily all)
918	   users have CA issued certificates.

920	   This approach follows the same patterns that have been applied in the
921	   issue of government credentials for centuries.  In many countries,
922	   passport applications must be endorsed by either a member of a
923	   profession that has frequent interaction with the public (e.g.
924	   doctors, lawyers and clerics), a licensed and registered set of
925	   public notaries or both.

927	   Analysis of the blended approach in terms of work factor reveals the
928	   surprising result that it can achieve a higher social work factor
929	   than either the CA model alone or the Web of Trust model alone.

931	   Consider the case that Alice and Bob have each obtained a certificate
932	   that presents a Social Work Factor of $10.  Applying the CA model in
933	   isolation, $10 is the limit to the SFW that can be achieved.  But if
934	   Alice and Bob were to meet and exchange endorsements, the SFW may be
935	   increased by up to $10.  If the exchange of endorsements is made in
936	   person by means of some QR code mediated cryptographic protocol, we
937	   might reasonably ascribe a SWF of $20 to each credential.

939	   This higher SWF can now be used to evaluate the value of endorsements
940	   issued by Alice and Bob to user Carol and of Carol to Doug, neither
941	   of whom has a CA issued certificates.  While the SWF of Carol is
942	   certainly less than $20 and the SWF or Doug is even lower, it is
943	   certainly greater than $0.

945	   While these particular values are given for the sake of example, it
946	   is clearly the case that as with the WebPKI, the blended approach
947	   permits trust to be quantified according to objective criteria even
948	   if the reliability of the values assigned remains subjective.  The
949	   Google Page Rank algorithm did not have to be perfect to be useful
950	   and just as the deployment of the Web spurred the development of
951	   engines offering better and more accurate search engines, deployment
952	   of blended PKI may be reasonably be expected to lead to the
953	   development of better and more accurate means of evaluating trust.

955	   The power of the blended approach is that it provides the reach of
956	   the Web of Trust model with the resilience of the CA model while
957	   permitting a measurable improvement in work factor over both.

959	   Combining the blended trust model with the internotary model allows
960	   these SWF values to be fixed in time.  It is one thing for an
961	   attacker to spend $100 to impersonate the President of the United
962	   States.  It is quite another for an attacker to spend $100 per target
963	   on every person who might become President of the United States in 20
964	   years' time.

966	3.  The Mesh of Trust

968	   The purpose of the Mathematical Mesh is to put the user rather than
969	   the designer in control of their trust infrastructure.  To this end,
970	   the Mesh supports use of any credential issued by any form of PKI and
971	   provides a means of using these credentials in a blended model.

973	3.1.  Master Profile

975	   The Mesh provides an infrastructure that enables a user to manage all
976	   the cryptographic keys and other infrastructure that are necessary to
977	   provide security.

979	   A Mesh master profile is the root of trust for each user's personal
980	   PKI.  By definition, every device, every application key that is a
981	   part of user's personal Mesh profile is ultimately authenticated
982	   either directly or indirectly by the signature key published in the
983	   master profile.

985	   Unlike user keys in traditional PKIs, a Mesh master profile is
986	   designed to permit (but not require) life long use.  A Master profile
987	   can be revoked but does not expire.  It is not possible to change the
988	   signature key in a master profile.  Should a compromise occur, a new
989	   master profile must be created.

991	3.2.  Uniform Data Fingerprints

993	   Direct trust in the Mesh is realized through use of Uniform Data
994	   Fingerprints (UDF) [draft-hallambaker-udf] . A UDF consists of a
995	   cryptographic digest (e.g.  SHA-2-512) over a data sequence and a
996	   content type identifier.

998	   UDFs are presented as a Base32 encoded sequence with separators every
999	   25 characters.  UDFs may be presented at different precisions
1000	   according to the intended use.  The 25-character presentation
1001	   provides a work factor of 2117 and is short enough to put on a
1002	   business card or present as a QR code.  The 50-character presentation
1003	   provides a work factor of 2242 and is compact enough to be used in a
1004	   configuration file.

1006	   For example, the UDF of the text/plain sequence "UDF Data Value" may
1007	   be presented in either of the following forms:

1009	   MDDK7-N6A72-7AJZN-OSTRX-XKS7D
1010	   MDDK7-N6A72-7AJZN-OSTRX-XKS7D-JAFXI-6OZSL-U2VOA-TZQ6J-MHPTS

1012	                                 Figure 1

1014	   The UDF of a user's master profile signature key is used as a
1015	   persistent, permanent identifier of the user that is unique to them
1016	   and will remain constant for their entire life unless they have
1017	   reason to replace their master profile with a new one.  The exchange
1018	   of master profile UDFs is the means by which Mesh users establish
1019	   direct trust.

1021	3.3.  Strong Internet Names

1023	   A Strong Internet name (SIN) [draft-hallambaker-sin] is a valid
1024	   Internet address that contains a UDF fingerprint of a security policy
1025	   describing interpretation of that name.

1027	   While a SIN creates a strong binding between an Internet address and
1028	   a security policy, it does not provide a mechanism for discovery of
1029	   the security policy.  Nor is it necessarily the case that this is
1030	   publicly available.

1032	   For example, Example Inc holds the domain name example.com and has
1033	   deployed a private CA whose root of trust is a PKIX certificate with
1034	   the UDF fingerprint MB2GK-6DUF5-YGYYL-JNY5E-RWSHZ.

1036	   Alice is an employee of Example Inc., she uses three email addresses:

1038	   alice@example.com  A regular email address (not a SIN).

1040	   alice@mm--mb2gk-6duf5-ygyyl-jny5e-rwshz.example.com  A strong email
1041	      address that is backwards compatible.

1043	   alice@example.com.mm--mb2gk-6duf5-ygyyl-jny5e-rwshz  A strong email
1044	      address that is backwards incompatible.

1046	   Use of SINs allows the use of a direct trust model to provide end-to-
1047	   end security using existing, unmodified email clients and other
1048	   Internet applications.

1050	   For example, Bob might use Microsoft Outlook 2019, an email
1051	   application that has no support for SINs as his email client.  He
1052	   configures Outlook to direct outbound mail through a SIN-aware proxy
1053	   service.  When Bob attempts to send mail to a strong email address
1054	   for Alice, the proxy recognizes that the email address is a SIN and
1055	   ensures that the necessary security enhancements are applied to meet
1056	   the implicit security policy.

1058	3.4.  Trust notary

1060	   A Mesh trust notary is a chained notary service that accepts
1061	   notarization requests from users and enrolls them in a publicly
1062	   visible, tamper-evident, append-only log.

1064	   The practices for operation of the trust notary are currently
1065	   undefined but should be expected to follow the approach described
1066	   above.

1068	   The trust notary protocol provides support for establishing an
1069	   internotary through cross certification.  The append only log format
1070	   is a DARE Container [draft-hallambaker-dare-container] , the service
1071	   protocol is currently in development.

1073	3.5.  Endorsement

1075	   An endorsement is a document submitted to a trust notary that
1076	   includes a claim of the form 'public key X is held by user Y'.  Mesh
1077	   endorsements may be issued by CAs or by ordinary users.

1079	3.6.  Evaluating trust

1081	   One of the chief advantages of the World Wide Web over previous
1082	   networked hypertext proposals was that it provided no means of
1083	   searching for content.  While the lack of a search capability was an
1084	   obstacle to content discovery in the early Web, competing solutions
1085	   to meeting this need were deployed, revised and replaced.

1087	   The Mesh takes the same approach to evaluation of trust.  The Mesh
1088	   provides an infrastructure for expression of trust claims but is
1089	   silent on their interpretation.  As with the development of search
1090	   for the Web, the evaluation of trust in the Mesh is left to the
1091	   application of venture capital to deep AI.

1093	4.  Conclusions

1095	   This paper describes the principal approaches used to establish
1096	   Internet trust, a means of evaluating them and a proposed successor.
1097	   It now remains to determine the effectiveness of the proposed
1098	   approach by attempting deployment.

1100	5.  References

1102	5.1.  Informative References

1104	   [Adrian2015]
1105	              Adrian, D., "Weak Diffie-Hellman and the Logjam Attack",
1106	              October 2015.

1108	   [Bitcoin]  Finley, K., "After 10 Years, Bitcoin Has Changed
1109	              Everything?And Nothing", November 2018.

1111	   [Diffie76]
1112	              Diffie, W. and M. Hellman, "New Directions in
1113	              Cryptography", November 1976.

1115	   [draft-hallambaker-dare-container]
1116	              Hallam-Baker, P., "Data At Rest Encryption Part 2: DARE
1117	              Container", draft-hallambaker-dare-container-02 (work in
1118	              progress), August 2018.

1120	   [draft-hallambaker-sin]
1121	              Hallam-Baker, P., "Strong Internet Names (SIN)", draft-
1122	              hallambaker-sin-03 (work in progress), April 2018.

1124	   [draft-hallambaker-udf]
1125	              Hallam-Baker, P., "Uniform Data Fingerprint (UDF)", draft-
1126	              hallambaker-udf-12 (work in progress), January 2019.

1128	   [Haber91]  Haber, S. and W. Stornetta, "How to Time-Stamp a Digital
1129	              Document", 1991.

1131	   [Intel2018]
1132	              Bell, L., "Intel delays 10nm Cannon Lake processors,
1133	              again, until late 2019", July 2018.

1135	   [Kohnfelder78]
1136	              Kohnfelder, L., "Towards a Practical Public-Key
1137	              Cryptosystem", May 1978.

1139	   [Namecoin]
1140	              "Namecoin Web Site", 2019.

1142	   [Ratchet]  Marlinspike, M. and T. Perrin, "The Double Ratchet
1143	              Algorithm", November 2016.

1145	   [RFC5869]  Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
1146	              Key Derivation Function (HKDF)", RFC 5869,
1147	              DOI 10.17487/RFC5869, May 2010.

1149	   [RFC6246]  Sajassi, A., Brockners, F., Mohan, D., and Y. Serbest,
1150	              "Virtual Private LAN Service (VPLS) Interoperability with
1151	              Customer Edge (CE) Bridges", RFC 6246,
1152	              DOI 10.17487/RFC6246, June 2011.

1154	   [RFC6962]  Laurie, B., Langley, A., and E. Kasper, "Certificate
1155	              Transparency", RFC 6962, DOI 10.17487/RFC6962, June 2013.

1157	   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
1158	              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018.

1160	   [Schneier2013]
1161	              Schneier, B., "Defending Against Crypto Backdoors",
1162	              October 2013.

1164	   [Shannon1949]
1165	              Shannon, C., "Communication Theory of Secrecy Systems",
1166	              1949.

1168	5.2.  URIs

1170	   [1] http://mathmesh.com/Documents/draft-hallambaker-mesh- trust.html

1172	Author's Address

1174	   Phillip Hallam-Baker

1176	   Email: phill@hallambaker.com