idnits 2.17.1 

draft-hallambaker-mesh-trust-01.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The abstract seems to contain references ([1]), which it shouldn't. 
     Please replace those with straight textual mentions of the documents in
     question.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (April 4, 2019) is 1847 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  -- Looks like a reference, but probably isn't: '1' on line 1183

  -- Obsolete informational reference (is this intentional?): RFC 6962
     (Obsoleted by RFC 9162)


     Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 3 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                    P. Hallam-Baker
3	Internet-Draft                                             April 4, 2019
4	Intended status: Informational
5	Expires: October 6, 2019

7	               Mathematical Mesh Part VI: The Trust Mesh
8	                    draft-hallambaker-mesh-trust-01

10	Abstract

12	   This paper extends Shannon's concept of a 'work factor' as applied to
13	   evaluation of cryptographic algorithms to provide an objective
14	   measure of the practical security offered by a protocol or
15	   infrastructure design.  Considering the hypothetical work factor
16	   based on an informed estimate of the probable capabilities of an
17	   attacker with unknown resources provides a better indication of the
18	   relative strength of protocol designs than the computational work
19	   factor of the best-known attack.

21	   The social work factor is a measure of the trustworthiness of a
22	   credential issued in a PKI based on the cost of having obtained the
23	   credential through fraud at a certain point in time.  Use of the
24	   social work factor allows evaluation of Certificate Authority based
25	   trust models and peer to peer (Web of Trust) models to be evaluated
26	   in the same framework.  The analysis demonstrates that both
27	   approaches have limitations and that in certain applications, a
28	   blended model is superior to either by itself.

30	   The final section of the paper describes a proposal to realize this
31	   blended model using the Mathematical Mesh.

33	   This document is also available online at
34	   http://mathmesh.com/Documents/draft-hallambaker-mesh-trust.html [1] .

36	Status of This Memo

38	   This Internet-Draft is submitted in full conformance with the
39	   provisions of BCP 78 and BCP 79.

41	   Internet-Drafts are working documents of the Internet Engineering
42	   Task Force (IETF).  Note that other groups may also distribute
43	   working documents as Internet-Drafts.  The list of current Internet-
44	   Drafts is at https://datatracker.ietf.org/drafts/current/.

46	   Internet-Drafts are draft documents valid for a maximum of six months
47	   and may be updated, replaced, or obsoleted by other documents at any
48	   time.  It is inappropriate to use Internet-Drafts as reference
49	   material or to cite them other than as "work in progress."

51	   This Internet-Draft will expire on October 6, 2019.

53	Copyright Notice

55	   Copyright (c) 2019 IETF Trust and the persons identified as the
56	   document authors.  All rights reserved.

58	   This document is subject to BCP 78 and the IETF Trust's Legal
59	   Provisions Relating to IETF Documents
60	   (https://trustee.ietf.org/license-info) in effect on the date of
61	   publication of this document.  Please review these documents
62	   carefully, as they describe your rights and restrictions with respect
63	   to this document.  Code Components extracted from this document must
64	   include Simplified BSD License text as described in Section 4.e of
65	   the Trust Legal Provisions and are provided without warranty as
66	   described in the Simplified BSD License.

68	Table of Contents

70	   1.  Work Factor . . . . . . . . . . . . . . . . . . . . . . . . .   3
71	     1.1.  Computational Work Factor . . . . . . . . . . . . . . . .   3
72	     1.2.  Hypothetical Work Factor  . . . . . . . . . . . . . . . .   4
73	     1.3.  Known Unknowns  . . . . . . . . . . . . . . . . . . . . .   5
74	     1.4.  Defense in Depth  . . . . . . . . . . . . . . . . . . . .   6
75	     1.5.  Mutual Reinforcement  . . . . . . . . . . . . . . . . . .   7
76	     1.6.  Safety in Numbers . . . . . . . . . . . . . . . . . . . .   8
77	     1.7.  Cost Factor . . . . . . . . . . . . . . . . . . . . . . .  10
78	     1.8.  Social Work Factor  . . . . . . . . . . . . . . . . . . .  12
79	       1.8.1.  Related work  . . . . . . . . . . . . . . . . . . . .  14
80	   2.  The problem of trust  . . . . . . . . . . . . . . . . . . . .  14
81	     2.1.  Existing approaches . . . . . . . . . . . . . . . . . . .  15
82	       2.1.1.  Trust After First Use (TAFU)  . . . . . . . . . . . .  15
83	       2.1.2.  Direct Trust  . . . . . . . . . . . . . . . . . . . .  16
84	       2.1.3.  Certificate Authority . . . . . . . . . . . . . . . .  16
85	       2.1.4.  Web of Trust  . . . . . . . . . . . . . . . . . . . .  17
86	       2.1.5.  Chained notary  . . . . . . . . . . . . . . . . . . .  18
87	       2.1.6.  A blended approach  . . . . . . . . . . . . . . . . .  19
88	   3.  The Mesh of Trust . . . . . . . . . . . . . . . . . . . . . .  21
89	     3.1.  Master Profile  . . . . . . . . . . . . . . . . . . . . .  21
90	     3.2.  Uniform Data Fingerprints . . . . . . . . . . . . . . . .  21
91	     3.3.  Strong Internet Names . . . . . . . . . . . . . . . . . .  22
92	     3.4.  Trust notary  . . . . . . . . . . . . . . . . . . . . . .  23
93	     3.5.  Endorsement . . . . . . . . . . . . . . . . . . . . . . .  23
94	     3.6.  Evaluating trust  . . . . . . . . . . . . . . . . . . . .  23
95	   4.  Conclusions . . . . . . . . . . . . . . . . . . . . . . . . .  24
96	   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  24
97	   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  24
98	     6.1.  Normative References  . . . . . . . . . . . . . . . . . .  24
99	     6.2.  Informative References  . . . . . . . . . . . . . . . . .  24
100	     6.3.  URIs  . . . . . . . . . . . . . . . . . . . . . . . . . .  25
101	   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  26

103	1.  Work Factor

105	   Recent events have highlighted both the need for open standards-based
106	   security protocols and the possibility that the design of such
107	   protocols may have been sabotaged [Schneier2013] . We thus face two
108	   important and difficult challenges, first to design an Internet
109	   security infrastructure that offers practical security against the
110	   class of attacks revealed, and secondly, to convince potential users
111	   that the proposed new infrastructure has not been similarly
112	   sabotaged.

114	   The measure of a security of a system is the cost and difficulty of
115	   making a successful attack.  The security of a safe is measured by
116	   the length time it is expected to resist attack using a specified set
117	   of techniques.  The security of a cryptographic algorithm against a
118	   known attack is measured by the computational cost of the attack.

120	   This paper extends Shannon's concept of a 'work factor' [Shannon1949]
121	   to provide an objective measure of the security a protocol or
122	   infrastructure offers against other forms of attack.

124	1.1.  Computational Work Factor

126	   The term 'Computational Work Factor' is used to refer to Shannon's
127	   original concept.

129	   One of Shannon's key insights was that the work factor of a
130	   cryptographic algorithm could be exponential.  Adding a single bit to
131	   the key size of an ideal symmetric algorithm presents only a modest
132	   increase in computational effort for the defender but doubles the
133	   work factor for the attacker.

135	   More precisely, the difficulty of breaking a cryptographic algorithm
136	   is generally measured by the work-factor ratio.  If the cost of
137	   encrypting a block with 56-bit DES is x, the worst case cost of
138	   recovering the key through a brute force attack is 2^56x.  The
139	   security of DES has changed over time because x has fallen
140	   exponentially.

142	   While the work factor is traditionally measured in terms of the
143	   number of operations, many cryptanalytic techniques permit memory
144	   used to be traded for computational complexity.  An attack requiring
145	   2^64 bytes of memory that reduces the number of operations required
146	   to break a 128 bit cipher to 2^64 is a rather lower concern than one
147	   which reduces the number of operations to 2^80.  The term 'cost' is
148	   used to gloss over such distinctions.

150	   The Computational Work Factor ratio WF-C (A) of a cryptographic
151	   algorithm A, is the cost of the best-known attack divided by the cost
152	   of the algorithm itself.

154	1.2.  Hypothetical Work Factor

156	   Modern cryptographic algorithms use keys of 128 bits or more and
157	   present a work factor ratio of 2^128 against brute force attack.
158	   This work factor is at least 2^72 times higher than DES and
159	   comfortably higher than the work factor of 2^80 operations that is
160	   generally believed to be the practical limit to current attacks.

162	   Though Moore's law has delivered exponential improvements in
163	   computing performance over the past four decades, this has been
164	   achieved through continual reductions in the minimum feature size of
165	   VLSI circuits.  As the minimum feature size rapidly approaches the
166	   size of individual atoms, this mechanism has already begun to stall
167	   [Intel2018] .

169	   While an exceptionally well-resourced attacker may gain performance
170	   advances through use of massive parallelism, faster clock rates made
171	   possible by operating at super-low temperatures and custom designed
172	   circuits, the return on such approaches is incremental rather than
173	   exponential.

175	   Performance improvements may allow an attacker to break systems with
176	   a work factor several orders of magnitude greater than the public
177	   state of the art.  But an advance in cryptanalysis might permit a
178	   potentially more significant reduction in the work factor.

180	   The primary consideration in the choice of a cryptographic algorithm
181	   therefore is not the known computational work factor as measured
182	   according to the best publicly known attack but the confidence that
183	   the computational work factor of the best attack that might be known
184	   to the attacker.

186	   While the exact capabilities of the adversary are unknown, a group of
187	   informed experts may arrive at a conservative estimate of their
188	   likely capabilities.  In particular, it is the capabilities of
189	   nation-state actors that generally give rise to greatest concern in
190	   security protocol design.  In this paper we refer to this set of
191	   actors as nation-state class adversaries in recognition of the fact
192	   that certain technology companies posses computing capabilities that
193	   rival if not exceed those of the largest state actors and those
194	   capabilities could at least in theory be co-opted for other purposes
195	   in certain circumstances.

197	   The probability that a nation-state class has discovered an attack
198	   against AES-128 with a work factor ratio of 2^120 might be considered
199	   relatively high while the probability that an attack with a work
200	   factor ratio of less than 2^64 is very low.

202	   We define the hypothetical work factor function WF-H (A, p) as
203	   follows: If WF is a work factor ratio and p is an informed estimate
204	   of the probability that an adversary has developed an attack with a
205	   work factor ratio against algorithm A of WF or less then WF-H (A, p)
206	   = WF.

208	   Since the best-known public attack is known to the attacker, WF-H (A,
209	   1) = _CWF (A)

211	   The inverse function WF-H' (A, WF) returns the estimated probability
212	   that the work factor of algorithm A is at least WF.

214	   The hypothetical work factor and its inverse may be used to compare
215	   the relative strengths of protocol designs.  Given designs A and B,
216	   we can state that B is an improvement on A if WF-H (A,p) > WF-H (B,p)
217	   for all p.

219	   When considering a protocol or infrastructure design we can thus
220	   improve a protocol by either:

222	   o  Increasing WF-H (A,p) for some p, or

224	   o  Decreasing WF-H '(A,WF)

226	1.3.  Known Unknowns

228	   Unlike the computational work factor, the hypothetical work factor
229	   does not provide an objective measure of the security offered by a
230	   design.  The purpose of the hypothetical work factor is to allow the
231	   protocol designer to compare the security offered by different design
232	   choices.

234	   The task that the security engineer faces is to secure the system
235	   from all attacks whether the attacks themselves are known or unknown.
236	   In the current case it is known that an attacker is capable of
237	   breaking at least some of the cryptographic algorithms in use.  But
238	   not which algorithms are affected or the nature of the attack(s).

240	   Unlike the computational work factor, the hypothetical work factor
241	   does not deliver an academically rigorous, publication and citation
242	   worthy measure of the strength of a design.  That is not its purpose.
243	   the purpose of the hypothetical work factor is to assist the protocol
244	   designer in designing protocols.

246	   Design of security protocols has always required the designer to
247	   consider attackers whose capabilities are not currently known and
248	   thus involved a considerable degree of informed opinion and
249	   guesswork.  Whether correctly or not, the decision to reject changes
250	   to the DNSSEC protocol to enable deployment in 2002 rested in part on
251	   a statement by a Security Area Director that a proposed change gave
252	   him 'a bad feeling in his gut'.  The hypothetical work factor permits
253	   the security designer to model to quantify such intestinally based
254	   assumptions and model the effect on the security of the resulting
255	   design.

257	   Security is a property of systems rather than individual components.
258	   While it is quite possible that there are no royal roads to
259	   cryptanalysis and cryptanalysis of algorithms such as AES 128 is
260	   infeasible even for the nation state class adversaries, such
261	   adversaries are not limited to use of cryptanalytic attacks.

263	   Despite the rise of organized cyber-crime, many financial systems
264	   still employ weak cryptographic systems that are known to be
265	   vulnerable to cryptanalytic attacks that are well within the
266	   capabilities of the attackers.  But fraud based on such techniques
267	   remains vanishingly rare as it is much easier for the attackers to
268	   persuade bank customers to simply give their access credentials to
269	   the attacker.

271	   Even if a nation-state class attacker has a factoring attack which
272	   renders an attack on RSA-2048 feasible, it is almost certainly easier
273	   for a nation-state class attacker to compromise a system using
274	   RSA-2048 in other ways.  For example, persuading the target of the
275	   surveillance to use cryptographic devices with a random number
276	   generator that leaks a crib for the attacker.  Analyzing the second
277	   form of attack requires a different type of analysis which is
278	   addressed in the following section on social work factor.

280	1.4.  Defense in Depth

282	   The motivation behind introducing the concept of the hypothetical
283	   work factor is a long experience of seeing attempts to make security
284	   protocols more robust being deflected by recourse to specious
285	   arguments based on the computational work factor.

287	   For example, consider the case in which a choice between a single
288	   security control and a defense in depth strategy is being considered:

290	   o  Option A: Uses algorithm X for protection.

292	   o  Option B: Uses a combination of algorithm X and algorithm Y for
293	      protection such that the attacker must defeat both to break the
294	      system and algorithms based on different cryptographic principles
295	      are chosen so as to minimize the risk of a common failure mode.

297	   If the computational work factor for both algorithms X and Y is
298	   2^128, both options present the same work factor ratio.  Although
299	   Option B offers twice the security, it also requires twice the work.

301	   The argument that normally wins is that both options present the same
302	   computational work factor ratio of 2^128, Option A is simpler and
303	   therefore Option A should be chosen.  This despite the obvious fact
304	   that only Option B offers defense in depth.

306	   If we consider the adversary of being capable of performing a work
307	   factor ratio of 2^80 and the probability the attacker has discovered
308	   an attack capable of breaking algorithms X and Y to be 10% in each
309	   case, the probability that the attacker can break Option A is 10%
310	   while the probability that an attack on Option B is only 1%, a
311	   significant improvement.

313	   While Option B clearly offers a significant potential improvement in
314	   security, this improvement is only fully realized if the
315	   probabilities of a feasible attack are independent.

317	1.5.  Mutual Reinforcement

319	   The defense in depth approach affords a significant improvement in
320	   security but an improvement that is incremental rather than
321	   exponential in character.  With mutual reinforcement we design the
322	   mechanism such that in addition to requiring the attacker to break
323	   each of the component algorithms, the difficulty of the attacks is
324	   increased.

326	   For example, consider the use of a Deterministic Random Number
327	   Generator R(s,n) which returns a sequence of values R(s,1), R(s,2)...
328	   from an initial seed s.

330	   Two major concerns in the design of such generators are the
331	   possibility of bias and that the seed value be somehow leaked through
332	   a side channel.

334	   Both concerns are mitigated if instead of using the output of one
335	   generator directly, two independent random number generators with
336	   distinct seeds are used.

338	   For example, consider the use of the value R1(s1,n) XOR R2(s2,n)
339	   where R1(s,n) and R2(s,n) are different random number generation
340	   functions and s1, s2 are distinct seeds.

342	   The XOR function has the property of preserving randomness so that
343	   the output is guaranteed to be at least as random as either of the
344	   generators from which it is built (provided that there is not a
345	   common failure mode).  Further, recovery of either random seed is at
346	   least as hard as using the corresponding generator on its own.  Thus,
347	   the Hypothetical work factor for the combined system is improved to
348	   at least the same extent as in the defense in depth case.

350	   But any attempt to break either generator must now face the
351	   additional complexity introduced by the output being masked with the
352	   unknown output of the other.  An attacker cannot cryptanalyze the two
353	   generator functions independently.  If the two generators and the
354	   seeds are genuinely independent, the combined hypothetical work
355	   factor is the product of the hypothetical work factors from which it
356	   is built.

358	   While implementing two independent generators and seeds represents a
359	   significant increase in cost for the implementer, a similar
360	   exponential leverage might be realized with negligible additional
361	   complexity through use of a cryptographic digest of the generator
362	   output to produce the masking value.

364	1.6.  Safety in Numbers

366	   In a traditional security analysis, the question of concern is
367	   whether a cryptanalytic attack is feasible or not.  When considering
368	   an indiscriminate intercept capability as in a nation-state class
369	   attack, the concern is not just whether an individual communication
370	   might be compromised but the number of communications that may be
371	   compromised for a given amount of effort.

373	   'Perfect' Forward Secrecy is an optional feature supported in IPSec
374	   and TLS.  In 2008, implementations of TLS/1.2 [RFC6246] purported to
375	   offer a choice between:

377	   Direct key exchange with a work factor dependent on the difficulty of
378	   breaking RSA 2048
379	   Direct key exchange followed by a perfect forward secrecy exchange
380	   with a work factor dependent on the difficulty of breaking both RSA
381	   2048 and DH 1024.

383	   Using the computational work factor alone suggests that the second
384	   scheme has little advantage over the first since the computational
385	   work factor of Diffie Hellman using the best-known techniques 2^80
386	   while the computational work factor for RSA 2048 is 2^112.  Use of
387	   the perfect forward secrecy exchange has a significant impact on
388	   server performance but does not increase the difficulty of
389	   cryptanalysis.

391	   Use of perfect forward secrecy with a combination of RSA and Diffie
392	   Hellman does not provide a significant improvement in the
393	   hypothetical work factor either if individual messages are
394	   considered.  The RSA and Diffie Hellman systems are closely related
395	   and so an attacker that can break RSA 2048 can almost certainly break
396	   RSA 1024.  Moreover, computational work factor for DH 1024 is only
397	   2^80 and thus feasibly within the reach of a well-funded and
398	   determined attacker.

400	   According to the analysis informally applied during design, use of
401	   perfect forward secrecy does provide an important security benefit
402	   when multiple messages are considered.  While a sufficiently funded
403	   and determined attacker could conceivably break tens, hundreds or
404	   even thousands of DH 1024 keys a year, it is rather less likely that
405	   an attacker could break millions a year.  The OCSP servers operated
406	   by Comodo CA receive over 2 billion hits a day and this represents
407	   only a fraction of the number of uses of TLS on the Internet.  Use of
408	   perfect forward secrecy does not prevent an attacker from decrypting
409	   any particular message but raises the cost of indiscriminate
410	   intercept and decryption.

412	   Unfortunately, this analysis is wrong because the TLS key exchange
413	   does not achieve a work factor dependent on the difficulty of
414	   breaking both RSA 2048 and DH 1024.  The pre-master secret
415	   established in the initial RSA 2048 exchange is only used to
416	   authenticate the key exchange process itself.  The session keys used
417	   to encrypt content are derived from the weaker ephemeral key
418	   exchange, the parameters of which are exchanged in plaintext.  Due to
419	   this defect in the design of the protocol, the Work Factor of the
420	   protocol is the work factor of DH1024 alone.

422	   Nor does the use of Diffie Hellman in this fashion provide security
423	   when multiple messages are exchanged.  The Logjam attack [Adrian2015]
424	   exploits the fact that the difficulty of breaking the discrete
425	   logarithm involves four major steps, the first three of which are the
426	   most computationally intensive and only depend on the shared group
427	   parameters.  The cost of breaking a hundred Diffie Hellman public
428	   keys is not a hundred times the cost of breaking a single key, there
429	   is almost no difference.

431	   Work factor analysis exposes these flaws in the design of the
432	   TLS/1.2.  Since the session keys used to encrypt traffic do not
433	   depend on knowing the secret established in the RSA2048 exchange, the
434	   work factor of the protocol is the lesser of 2^80 and 2^112.

436	   A simple means of ensuring that the work factor of a protocol is not
437	   reduced by a fresh key exchange is to use a one-way function such as
438	   a cryptographic digest or a key exchange to combine the output of the
439	   prior exchange with its successor.  This principle is employed in the
440	   double ratchet algorithm [Ratchet] used in the Signal protocol.  In
441	   the Mesh, the HKDF Key Derivation function [RFC5869] is frequently
442	   used for the same purpose.

444	   The work factor downgrade issue was addressed in TLS/1.3 [RFC8446]
445	   albeit in a less direct fashion by encrypting the ephemeral key
446	   exchange.

448	1.7.  Cost Factor

450	   As previously discussed, cryptanalysis is not the only tool available
451	   to an attacker.  Faced with a robust cryptographic defense, Internet
452	   criminals have employed 'social engineering' instead.  A nation-state
453	   class attacker may use any and every tool at their disposal including
454	   tools that are unique to government backed adversaries such as the
455	   threat of legal sanctions against trusted intermediaries.

457	   Although attackers can and will use every tool at their disposal,
458	   each tool carries a cost and some tools require considerable advance
459	   planning to use.  It is conceivable that the AES standard published
460	   by NIST contains a backdoor that somehow escaped the extensive peer
461	   review.  But any such effort would have had to have begun well in
462	   advance of 1998 when the Rijndael cipher was first published.

464	   Nation-state class actors frequently rely for security on the same
465	   infrastructures that they are attempting to attack.  Thus, the
466	   introduction of vulnerabilities that might also be exploited by the
467	   opposition incurs a cost to both.  This concern is recognized in the
468	   NSA 'NOBUS' doctrine: Nobody but us.  To introduce a vulnerability in
469	   a random number generator that can only be exploited by a party that
470	   knows the necessary private key is acceptable.  But introducing a
471	   vulnerability that depends on the use of an unpublished cryptanalytic
472	   technique is not because that same technique might be discovered by
473	   the opposition.

475	   Subversion of cryptographic apparatus such as Hardware Security
476	   Modules (HSMs) and SSL accelerators faces similar constraints.  HSMs
477	   may be compromised by an adversary but the compromise must have taken
478	   place before the device was manufactured or serviced.

480	   Just as computational attacks are limited by the cryptanalytic
481	   techniques known to and the computational resources available to the
482	   attacker, social attacks are limited by the cost of the attack and
483	   the capacity of the attacker.

485	   The Cost Factor C(t) is an estimate of the cost of performing an
486	   attack on or before a particular date in time (t).

488	   For the sake of simplicity, currency units are used under the
489	   assumption that all the resources required are fungible and that all
490	   attackers face the same costs.  But such assumptions may need to be
491	   reconsidered when there is a range of attackers with very different
492	   costs and capabilities.  A hacktivist group could not conceivably
493	   amass the computational and covert technical resources available to
494	   the NSA but such a group could in certain circumstances conceivably
495	   organize a protest with a million or more participants while the
496	   number of NSA employees is believed to still be somewhat fewer.

498	   The computational and hypothetical work factors are compared against
499	   estimates of the computational resources of the attacker.  An attack
500	   is considered to be infeasible if that available computational
501	   resources do not allow the attack to be performed within a useful
502	   period of time.

504	   The cost factor is likewise compared against an incentive estimate,
505	   I(t) which is also time based.

507	   o  An attack is considered to be productive for an attacker if there
508	      was a time t for which I(t) > C(t).

510	   o  An attack is considered to be unproductive if there is no time at
511	      which it was productive for that attacker.

513	   Unlike Cost Factor for which a lower bound based on the lowest cost
514	   and highest capacity may be usefully applied to all attackers,
515	   differences in the incentive estimate between attackers are likely to
516	   be very significant.  Almost every government has the means to
517	   perform financial fraud on a vast scale but only rarely does a
518	   government have the incentive.  When governments do engage in
519	   activities such as counterfeiting banknotes this has been done for
520	   motives beyond mere peculation.

522	   While government actors do not respond to the same incentives as
523	   Internet criminals, governments fund espionage activities in the
524	   expectation of a return on their investment.  A government agency
525	   director who does not produce the desired returns is likely to be
526	   replaced.

528	   For example, when the viability of SSL and the Web PKI for protecting
529	   Internet payments was considered in the mid-1990s, the key question
530	   was whether the full cost of obtaining a fraudulently issued
531	   certificate would exceed the expected financial return where the full
532	   cost is understood to include the cost of registering a bogus
533	   corporation, submitting the documents and all the other activities
534	   that would be required if a sustainable model for payments fraud was
535	   to be established.

537	   For an attack to be attractive to an attacker it is not just
538	   necessary for it to be productive, the time between the initial
539	   investment and the reward and the likelihood of success are also
540	   important factors.  An attack that requires several years of advance
541	   planning is much less attractive than an attack which returns an
542	   immediate profit.

544	   An attack may be made less attractive by

546	   o  Increasing the cost

548	   o  Reducing the incentive

550	   o  Reducing the expected gain

552	   o  Reducing the probability that the incentive will be realized

554	   o  Increasing the time between the initial investment and the return.

556	   Most real-world security infrastructures are based on more than one
557	   of these approaches.  The WebPKI is designed to increase the cost of
558	   attack by introducing validation requirements and reduce the expected
559	   gain through its revocation infrastructure.

561	1.8.  Social Work Factor

563	   In the cost factor analysis, it is assumed that all costs are
564	   fungible, and the attack capacity of the attacker is only limited by
565	   their financial resources.  Some costs are not fungible however, in
566	   particular inducing a large number of people to accept a forgery
567	   without the effort being noticed requires much more than a limitless
568	   supply of funds.

570	   In a computational attack an operation will at worst fail to deliver
571	   success.  There is no penalty for failure beyond having failed to
572	   succeed.  When attempting to perpetuate a fraud on the general
573	   public, every attempt carries a risk of exposure of the entire
574	   scheme.  When attempting to perform any covert activity, every
575	   additional person who is indoctrinated into the conspiracy increases
576	   the chance of exposure.

578	   The totalitarian state envisioned by George Orwell in 1984 was only
579	   plausible because each and every citizen is coerced to act as a party
580	   to the conspiracy.  The erasure and replacement of the past was
581	   possible because the risk of exposure was nil.

583	   In 2011, I expressed concern to a retired senior member of the NSA
584	   staff that the number of contractors being hired to perform cyber-
585	   sabotage operations represented a security risk and might be creating
586	   a powerful constituency with an interest in the aggressive
587	   militarization of cyberspace rather than preparing for its defense.
588	   Subsequent disclosures by Robert Snowden have validated the
589	   disclosure risk aspect of these concerns.  Empirically, the NSA, an
590	   organization charged with protecting the secrecy of government
591	   documents, was unable to maintain the secrecy of their most important
592	   secrets when the size of the conspiracy reached a few ten thousand
593	   people.

595	   The community of commercial practitioners of cryptographic
596	   information security is small in size but encompasses many
597	   nationalities.  Many members of the community are bound by
598	   ideological commitments to protecting personal privacy as an
599	   unqualified moral objective.

601	   Introducing a backdoor into a HSM, application or operating system
602	   platform requires that every person with access to the platform
603	   source or who might be called in to audit the code be a party to the
604	   conspiracy.  Tapping the fiber optic cables that support the Internet
605	   backbone requires only a small work crew and digging equipment.
606	   Maintaining a covert backdoor in a major operating system platform
607	   would require hundreds if not thousands of engineers to participate
608	   in the conspiracy.

610	   The Social Work Factor _SWF(t) is a measure of the cost of
611	   establishing a fraud in a conspiracy starting at date t.  The cost is
612	   measured in the number of actions that the party perpetrating the
613	   fraud must perform that carry a risk of exposure.

615	   In general, the Social Work Factor will increase over time.
616	   Perpetrating a fraud claiming that the Roman emperor Nero never
617	   existed today would require that millions of printed histories be
618	   erased and rewritten, every person who has ever taught or taken a
619	   lesson in Roman history would have to participate in the fraud.  The
620	   Social Work Factor would be clearly prohibitive.

622	   The Social Work Factor in the immediate aftermath of Nero's
623	   assassination in 68 would have been considerably lower.  While the
624	   emperor Nero was obviously not erased from history, this did happen
625	   to Akhenaten, an Egyptian pharaoh of the 18^th dynasty whose
626	   monuments were dismantled, statues destroyed, and his name erased
627	   from the lists of kings.

629	1.8.1.  Related work

631	   It has not escaped the notice of the author that the social work
632	   factor might be applied as a general metric for assessing the
633	   viability of a conspiracy hypothesis.

635	   Applying social work factor analysis to the moon landing conspiracy
636	   theory we note that almost all of the tens of thousands of NASA
637	   employees who worked on the Apollo project would have had to be a
638	   part of the conspiracy and so would an even larger number of people
639	   who worked for NASA contractors.  The cost of perpetrating the hoax
640	   would have clearly exceeded any imaginable benefit while the risk of
641	   the hoax being exposed would have been catastrophic.

643	2.  The problem of trust

645	   Traditional (symmetric key) cryptography allows two parties to
646	   communicate securely provided they both know a particular piece of
647	   information known as a key that must be known to encrypt or decrypt
648	   the content.  Public Key cryptography proposed by Diffie and Hellman
649	   [Diffie76] provides much greater flexibility by using separate keys
650	   for separate roles such that it is possible to do one without being
651	   able to do the other.  In a public key system, an encryption key
652	   allows information to be encrypted but not to be decrypted.  That
653	   role can only be performed using the corresponding decryption key.

655	   The Mathematical Mesh recryption services further extend the
656	   capabilities of traditional public key infrastructures by further
657	   partitioning of the roles associated with the private key.  In the
658	   Mesh, this capability is referred to as 'recryption' as it was
659	   originally conceived of as being a form of Proxy Re-encryption as
660	   described by Blaze et. al. but it might equally well be considered as
661	   realizing distributed key generation as described by Pedersen.  A
662	   decryption key is split into two or more parts such that both parts
663	   must be involved to complete a private key operation.  These parts
664	   are then distributed to separate parties, thus achieving
665	   cryptographic enforcement of a separation of duties.

667	   Public key cryptography allows many (but certainly not all)
668	   information security concerns to be reduced to management of
669	   cryptographic keys.  If Alice knows the Bob's encryption key, she can
670	   send Bob an encrypted message that only he can read.  If Bob knows
671	   Alice's signature key, Bob can verify that a digital signature on the
672	   message really was created by Alice.

674	   A Public Key Infrastructure (PKI) is a combination of technologies,
675	   practices and services that support the management of public key
676	   pairs.  In particular, if Alice does not know Bob's public key, any
677	   infrastructure that is designed to provide her with this information
678	   may be regarded as a form of PKI.

680	   The big challenge faced in the design, deployment of operation of a
681	   PKI is that while Alice and Bob can communicate with perfect secrecy
682	   if they use each other's actual public keys, they will have worse
683	   than no security if an attacker can persuade them to use keys they
684	   control instead.  One of the chief concerns in PKI therefore is to
685	   allow users to assess the level of risk they face, a quality known as
686	   trust.

688	2.1.  Existing approaches

690	   Few areas of information security have engaged so much passionate
691	   debate or diverse proposals as PKI architecture.  Yet despite the
692	   intensity of this argument the state of deployment of PKI in the
693	   Internet has remained almost unchanged.

695	   TLS and SSH, the only Internet security protocols that have
696	   approached ubiquity both operate at the transport layer.  The use of
697	   IPSEC is largely limited to providing VPN access.  DNSSEC remains a
698	   work in progress.  Use of end-to-end secure email messaging is
699	   negligible and shows no sign of improvement as long as competition
700	   between S/MIME and OpenPGP remains at a stalemate in which one has a
701	   monopoly on mindshare and the other a monopoly on deployment.

703	2.1.1.  Trust After First Use (TAFU)

705	   Trust After First Use is a simple but often effective form of PKI.
706	   Instead of trying to verify each other's public key the first time
707	   they attempt to communicate, the parties record the public key
708	   credentials presented in their first interaction and check that the
709	   same credentials are presented in subsequent transactions.  While
710	   this approach does not absolutely guarantee that 'Alice' is really
711	   talking to 'Bob', as the conversation continues over hours, months or
712	   even years, they are both assured that they are talking to the same
713	   person.

715	2.1.2.  Direct Trust

717	   In the direct trust model, credentials are exchanged in person.  The
718	   exchange may be of the actual public key itself or by means of a
719	   'fingerprint' which is simply a means of formatting a cryptographic
720	   digest of the key to the user.

722	   Use of direct trust is robust and avoids the need to introduce any
723	   form of trusted third party.  It is also limited for the obvious
724	   reason that it is not always possible for users to meet in person.
725	   For this reason, protocols that attempt to offer a direct trust model
726	   often turn out to be being used in trust-after-first-use mode in
727	   practice when the behavior of users is examined.

729	2.1.3.  Certificate Authority

731	   The archetype of what is generally considered to be 'PKI' was
732	   introduced in Kohnfelder's 1978 Msc. Thesis [Kohnfelder78] . A
733	   Certificate Authority (CA)whose signature key is known to all the
734	   participants issues certificates binding the user's public key to
735	   their name and/or contact address(es).

737	   This approach forms the basis of almost every widely deployed PKI
738	   including the EMV PKI that support smart card payments, the CableLabs
739	   PKI that supports the use of set top boxes to access copyright
740	   protected content and the WebPKI mentioned earlier that supports the
741	   use of TLS in online commerce.

743	   One area in which the CA model has not met with widespread success is
744	   the provision of end-to-end secure email described in the original
745	   paper.  Despite the fact that S/MIME secure email has been supported
746	   by practically every major email client for over 20 years, only a
747	   small number of users are aware that email encryption is supported
748	   and even fewer user it on a regular basis.

750	   One of the reasons for this lack of uptake is the lack of uptake
751	   itself.  Until a critical mass of users is established, the network
752	   effect presents as the chicken and egg problem.  Another reason for
753	   the failure is the sheer inconvenience use of S/MIME presents to the
754	   user.  Obtaining, installing and maintaining certificates requires
755	   significant user effort and knowledge.  But even if these obstacles
756	   are addressed (as the Mesh attempts to do), as far as the open
757	   Internet is concerned, S/MIME provides little or no benefit over a
758	   direct trust model because there is no equivalent of the WebPKI for
759	   email.

761	   Most CAs that operate WebPKI services also offer S/MIME PKI services,
762	   but these are seldom used except by enterprises and government
763	   agencies where certificates are usually issued for internal use only.

765	   One of the chief difficulties in establishing a MailPKI analogous to
766	   the WebPKI is the difficulty of establishing a set of validation
767	   requirements that are cost effective to users and present a
768	   meaningful social work factor to attackers.

770	   When VeriSign began operating the first Internet CA, two classes of
771	   email certificate were offered that have since become a de facto
772	   industry standard:

774	   Class 1:  The CA verified that the subject applying for the
775	      certificate could read email sent to the address specified in the
776	      certificate.

778	   Class 2:  The requirements of class 1 plus the requirement that the
779	      certificate be issued through a Registration Authority that had
780	      been separately determined to meet the considerably more stringent
781	      validation requirements for organizations specified in class 3 and
782	      in particular, demonstrated ownership of the corresponding domain
783	      name.

785	   Class 2 certificates were designed to be issued by organizations to
786	   their employees and arguably present a more than adequate social work
787	   factor to prevent most forms of attack.  S/MIME certificates are in
788	   daily use to secure very sensitive communications relating to very
789	   high value transactions.  But this represents a niche application of
790	   what was intended to be a ubiquitous infrastructure that would
791	   eventually secure every email communication.

793	   The only type of certificate that the typical Internet user can
794	   obtain is class 1 which at best offers a small improvement on social
795	   work factor over Trust After First Use.

797	2.1.4.  Web of Trust

799	   The concept of the Web of Trust was introduced by Zimmerman with the
800	   launch of PGP.  It represents the antithesis of the hierarchical CA
801	   model then being proposed for the Privacy Enhance Mail scheme being
802	   considered by the IETF at the time.  A core objection to this model
803	   was the fact that users could only communicate securely by obtaining
804	   a certificate from a CA.  The goal of PGP was to democratize the
805	   process by making every user a trust provider.

807	   Like S/MIME, OpenPGP protocol has achieved some measure of success
808	   but has fallen far short of its original goal of becoming ubiquitous
809	   and almost none of the users have participated in the Web of Trust.

811	   One of the chief technical limitations of the Web of Trust is that
812	   trust degrades over distance.  An introduction from a friend of a
813	   friend has less value than one from a friend.  As the number of users
814	   gets larger, the chains of trust get longer, and the trustworthiness
815	   of the link becomes smaller.

817	   Another limitation is that as is fitting for a concept launched at
818	   the high tide of postmodernism, the trust provided is inherently
819	   relative.  Every user has a different view of the Web of Trust and
820	   thus a different degree of trust in the other users.  This makes it
821	   impossible for a commercial service to offer to navigate the Web of
822	   Trust on a user's behalf.

824	2.1.5.  Chained notary

826	   The rise of BitCoin [Bitcoin] and the blockchain technology on which
827	   it is based have given rise to numerous proposals that make use of a
828	   tamper-evident notary as either the basis for a new PKI (e.g.
829	   NameCoin [Namecoin] ) or to provide additional audit controls for an
830	   existing PKI (e.g.  Certificate Transparency [RFC6962] ).

832	   The principle of making a digital notary service tamper-evident by
833	   means of combining each output of the notary with the input of its
834	   successor using a cryptographic digest was proposed in 1991 by Haber
835	   and Stornetta [Haber91] . Every output of the notary depends on every
836	   one of the previous inputs.  Thus, any attempt to modify an input
837	   will cause every subsequent output to be invalidated.

839	   Notaries operating according to these principles can quickly achieve
840	   prohibitively high social work factors by simply signing their output
841	   values at regular intervals and publishing a record of the signed
842	   values.  Any attempt by the notary to tamper with the log will
843	   produce a non-repudiable proof of the defection.  Thus once an input
844	   value is enrolled in a chained notary, the social work factor for
845	   modifying that input subsequent to that becomes the same as the
846	   social work factor for subverting the notary and every party that has
847	   a record of the signed outputs of that notary.

849	   Enrolling the signed outputs of one notary as an input to another
850	   independently operated notary establishes a circumstance in which it
851	   is not possible for one notary to defect unless the other does as
852	   well.  Applying the same principle to a collection of notaries
853	   establishes a circumstance in which it is not possible for any notary
854	   to defect without that defection becoming evident unless every other
855	   notary also defects.  If such infrastructures are operated in
856	   different countries by a variety of reputable notaries, the social
857	   work factor of modifying an input after it is enrolled may be
858	   considered as to rapidly approach infinity.

860	   One corollary of this effect is that just as there is only one global
861	   postal system, one telephone system and one Internet, convergence of
862	   the chained notary infrastructure is also inevitable.  Users seeking
863	   the highest possible degree of tamper evidence will seek out notaries
864	   that cross notarize with the widest and most diverse range of other
865	   notaries.  I propose a name for this emergent infrastructure, the
866	   Internotary.

868	   According to the image presented in the popular press, it is the
869	   minting of new cryptocurrency that provides stability to the
870	   distributed leger at the heart of BitCoin, Etherium and their many
871	   imitators.  The fact that notaries that do not require proof of work,
872	   proof of stake or any other form of seigniorage offer the same social
873	   work factor (effectively infinite) as those that do demonstrates that
874	   it is not necessary to consume nation-state level quantities of
875	   electricity to operate such infrastructures.

877	   The attraction of employing such notaries in a PKI system is that the
878	   social work factor to forge a credential prior to a date that has
879	   already been notarized as past is infinite.  It is obvious that
880	   almost none of the thousands of OpenPGP keys registered with the key
881	   server infrastructure for 'Barack Obama' are genuine and so all the
882	   registered keys are untrustworthy.  But if it was known that one
883	   particular key had been registered in the 1980s, before Obama had
884	   become a political leader, that particular key would be considerably
885	   more trustworthy than the rest.

887	   The use of chained notaries may be viewed as providing a distributed
888	   form of Trust After First Use. The first use event in this case is
889	   the enrollment of the event in the notary.  Instead of Alice having
890	   to engage in separate first use events with Bob, Carol, Doug and
891	   every other user she interacts with, a single first use event with
892	   the internotary supports all her existing and future contacts.

894	2.1.6.  A blended approach

896	   As we have seen, different PKI architectures have emerged to serve
897	   different communities of use by offering different forms of trust.
898	   The trust provided by the OpenPGP and S/MIME PKIs to the communities
899	   they serve is distinct.  The S/MIME PKI does not provide a useful
900	   means of establishing a trusted relationship in a personal capacity.
901	   The OpenPGP PKI is not appropriate for establishing a trust
902	   relationship in an enterprise capacity.  Yet despite this obvious
903	   difference in capabilities, there has been no convergence between
904	   these competing approaches in the past two decades.

906	   The only convergence in approach that has developed over this period
907	   is within the applications that rely on PKI.  Most SSH clients and
908	   servers make provision for use of CA issued certificates for
909	   authentication.  Most email clients may be configured to support
910	   OpenPGP in addition to S/MIME.

912	   While offering the choice of CA issued, direct trust or Web of Trust
913	   credentials is better than insisting on the use of the one, true PKI,
914	   this approach is less powerful than a blended approach allowing the
915	   user to make use of all of them.

917	   In the blended approach, every user is a trust provider and can
918	   provide endorsements to other user and some (but not necessarily all)
919	   users have CA issued certificates.

921	   This approach follows the same patterns that have been applied in the
922	   issue of government credentials for centuries.  In many countries,
923	   passport applications must be endorsed by either a member of a
924	   profession that has frequent interaction with the public (e.g.
925	   doctors, lawyers and clerics), a licensed and registered set of
926	   public notaries or both.

928	   Analysis of the blended approach in terms of work factor reveals the
929	   surprising result that it can achieve a higher social work factor
930	   than either the CA model alone or the Web of Trust model alone.

932	   Consider the case that Alice and Bob have each obtained a certificate
933	   that presents a Social Work Factor of $10.  Applying the CA model in
934	   isolation, $10 is the limit to the SFW that can be achieved.  But if
935	   Alice and Bob were to meet and exchange endorsements, the SFW may be
936	   increased by up to $10.  If the exchange of endorsements is made in
937	   person by means of some QR code mediated cryptographic protocol, we
938	   might reasonably ascribe a SWF of $20 to each credential.

940	   This higher SWF can now be used to evaluate the value of endorsements
941	   issued by Alice and Bob to user Carol and of Carol to Doug, neither
942	   of whom has a CA issued certificates.  While the SWF of Carol is
943	   certainly less than $20 and the SWF or Doug is even lower, it is
944	   certainly greater than $0.

946	   While these particular values are given for the sake of example, it
947	   is clearly the case that as with the WebPKI, the blended approach
948	   permits trust to be quantified according to objective criteria even
949	   if the reliability of the values assigned remains subjective.  The
950	   Google Page Rank algorithm did not have to be perfect to be useful
951	   and just as the deployment of the Web spurred the development of
952	   engines offering better and more accurate search engines, deployment
953	   of blended PKI may be reasonably be expected to lead to the
954	   development of better and more accurate means of evaluating trust.

956	   The power of the blended approach is that it provides the reach of
957	   the Web of Trust model with the resilience of the CA model while
958	   permitting a measurable improvement in work factor over both.

960	   Combining the blended trust model with the internotary model allows
961	   these SWF values to be fixed in time.  It is one thing for an
962	   attacker to spend $100 to impersonate the President of the United
963	   States.  It is quite another for an attacker to spend $100 per target
964	   on every person who might become President of the United States in 20
965	   years' time.

967	3.  The Mesh of Trust

969	   The purpose of the Mathematical Mesh is to put the user rather than
970	   the designer in control of their trust infrastructure.  To this end,
971	   the Mesh supports use of any credential issued by any form of PKI and
972	   provides a means of using these credentials in a blended model.

974	3.1.  Master Profile

976	   The Mesh provides an infrastructure that enables a user to manage all
977	   the cryptographic keys and other infrastructure that are necessary to
978	   provide security.

980	   A Mesh master profile is the root of trust for each user's personal
981	   PKI.  By definition, every device, every application key that is a
982	   part of user's personal Mesh profile is ultimately authenticated
983	   either directly or indirectly by the signature key published in the
984	   master profile.

986	   Unlike user keys in traditional PKIs, a Mesh master profile is
987	   designed to permit (but not require) life long use.  A Master profile
988	   can be revoked but does not expire.  It is not possible to change the
989	   signature key in a master profile.  Should a compromise occur, a new
990	   master profile must be created.

992	3.2.  Uniform Data Fingerprints

994	   Direct trust in the Mesh is realized through use of Uniform Data
995	   Fingerprints (UDF) [draft-hallambaker-udf] . A UDF consists of a
996	   cryptographic digest (e.g.  SHA-2-512) over a data sequence and a
997	   content type identifier.

999	   UDFs are presented as a Base32 encoded sequence with separators every
1000	   25 characters.  UDFs may be presented at different precisions
1001	   according to the intended use.  The 25-character presentation
1002	   provides a work factor of 2^117 and is short enough to put on a
1003	   business card or present as a QR code.  The 50-character presentation
1004	   provides a work factor of 2^242 and is compact enough to be used in a
1005	   configuration file.

1007	   For example, the UDF of the text/plain sequence "UDF Data Value" may
1008	   be presented in either of the following forms:

1010	   MDDK7-N6A72-7AJZN-OSTRX-XKS7D
1011	   MDDK7-N6A72-7AJZN-OSTRX-XKS7D-JAFXI-6OZSL-U2VOA-TZQ6J-MHPTS

1013	   The UDF of a user's master profile signature key is used as a
1014	   persistent, permanent identifier of the user that is unique to them
1015	   and will remain constant for their entire life unless they have
1016	   reason to replace their master profile with a new one.  The exchange
1017	   of master profile UDFs is the means by which Mesh users establish
1018	   direct trust.

1020	3.3.  Strong Internet Names

1022	   A Strong Internet name (SIN) [draft-hallambaker-sin] is a valid
1023	   Internet address that contains a UDF fingerprint of a security policy
1024	   describing interpretation of that name.

1026	   While a SIN creates a strong binding between an Internet address and
1027	   a security policy, it does not provide a mechanism for discovery of
1028	   the security policy.  Nor is it necessarily the case that this is
1029	   publicly available.

1031	   For example, Example Inc holds the domain name example.com and has
1032	   deployed a private CA whose root of trust is a PKIX certificate with
1033	   the UDF fingerprint MB2GK-6DUF5-YGYYL-JNY5E-RWSHZ.

1035	   Alice is an employee of Example Inc., she uses three email addresses:

1037	   alice@example.com  A regular email address (not a SIN).

1039	   alice@mm--mb2gk-6duf5-ygyyl-jny5e-rwshz.example.com  A strong email
1040	      address that is backwards compatible.

1042	   alice@example.com.mm--mb2gk-6duf5-ygyyl-jny5e-rwshz  A strong email
1043	      address that is backwards incompatible.

1045	   Use of SINs allows the use of a direct trust model to provide end-to-
1046	   end security using existing, unmodified email clients and other
1047	   Internet applications.

1049	   For example, Bob might use Microsoft Outlook 2019, an email
1050	   application that has no support for SINs as his email client.  He
1051	   configures Outlook to direct outbound mail through a SIN-aware proxy
1052	   service.  When Bob attempts to send mail to a strong email address
1053	   for Alice, the proxy recognizes that the email address is a SIN and
1054	   ensures that the necessary security enhancements are applied to meet
1055	   the implicit security policy.

1057	3.4.  Trust notary

1059	   A Mesh trust notary is a chained notary service that accepts
1060	   notarization requests from users and enrolls them in a publicly
1061	   visible, tamper-evident, append-only log.

1063	   The practices for operation of the trust notary are currently
1064	   undefined but should be expected to follow the approach described
1065	   above.

1067	   The trust notary protocol provides support for establishing an
1068	   internotary through cross certification.  The append only log format
1069	   is a DARE Container [draft-hallambaker-dare-container] , the service
1070	   protocol is currently in development.

1072	3.5.  Endorsement

1074	   An endorsement is a document submitted to a trust notary that
1075	   includes a claim of the form 'public key X is held by user Y'.  Mesh
1076	   endorsements may be issued by CAs or by ordinary users.

1078	3.6.  Evaluating trust

1080	   One of the chief advantages of the World Wide Web over previous
1081	   networked hypertext proposals was that it provided no means of
1082	   searching for content.  While the lack of a search capability was an
1083	   obstacle to content discovery in the early Web, competing solutions
1084	   to meeting this need were deployed, revised and replaced.

1086	   The Mesh takes the same approach to evaluation of trust.  The Mesh
1087	   provides an infrastructure for expression of trust claims but is
1088	   silent on their interpretation.  As with the development of search
1089	   for the Web, the evaluation of trust in the Mesh is left to the
1090	   application of venture capital to deep AI.

1092	4.  Conclusions

1094	   This paper describes the principal approaches used to establish
1095	   Internet trust, a means of evaluating them and a proposed successor.
1096	   It now remains to determine the effectiveness of the proposed
1097	   approach by attempting deployment.

1099	5.  Security Considerations

1101	   This document describes the means by which interparty identification
1102	   risk is managed and controlled in the Mathematical Mesh.

1104	   The security considerations for use and implementation of Mesh
1105	   services and applications are described in the Mesh Security
1106	   Considerations guide [draft-hallambaker-mesh-security] .

1108	6.  References

1110	6.1.  Normative References

1112	   [draft-hallambaker-mesh-security]
1113	              "[Reference Not Found!]".

1115	6.2.  Informative References

1117	   [Adrian2015]
1118	              Adrian, D., "Weak Diffie-Hellman and the Logjam Attack",
1119	              October 2015.

1121	   [Bitcoin]  Finley, K., "After 10 Years, Bitcoin Has Changed
1122	              Everything?And Nothing", November 2018.

1124	   [Diffie76]
1125	              Diffie, W. and M. Hellman, "New Directions in
1126	              Cryptography", November 1976.

1128	   [draft-hallambaker-dare-container]
1129	              Hallam-Baker, P., "Data At Rest Encryption Part 2: DARE
1130	              Container", draft-hallambaker-dare-container-02 (work in
1131	              progress), August 2018.

1133	   [draft-hallambaker-sin]
1134	              Hallam-Baker, P., "Strong Internet Names (SIN)", draft-
1135	              hallambaker-sin-03 (work in progress), April 2018.

1137	   [draft-hallambaker-udf]
1138	              Hallam-Baker, P., "Uniform Data Fingerprint (UDF)", draft-
1139	              hallambaker-udf-12 (work in progress), January 2019.

1141	   [Haber91]  Haber, S. and W. Stornetta, "How to Time-Stamp a Digital
1142	              Document", 1991.

1144	   [Intel2018]
1145	              Bell, L., "Intel delays 10nm Cannon Lake processors,
1146	              again, until late 2019", July 2018.

1148	   [Kohnfelder78]
1149	              Kohnfelder, L., "Towards a Practical Public-Key
1150	              Cryptosystem", May 1978.

1152	   [Namecoin]
1153	              Inc., N., "Namecoin Web Site", 2019.

1155	   [Ratchet]  Marlinspike, M. and T. Perrin, "The Double Ratchet
1156	              Algorithm", November 2016.

1158	   [RFC5869]  Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
1159	              Key Derivation Function (HKDF)", RFC 5869,
1160	              DOI 10.17487/RFC5869, May 2010.

1162	   [RFC6246]  Sajassi, A., Brockners, F., Mohan, D., and Y. Serbest,
1163	              "Virtual Private LAN Service (VPLS) Interoperability with
1164	              Customer Edge (CE) Bridges", RFC 6246,
1165	              DOI 10.17487/RFC6246, June 2011.

1167	   [RFC6962]  Laurie, B., Langley, A., and E. Kasper, "Certificate
1168	              Transparency", RFC 6962, DOI 10.17487/RFC6962, June 2013.

1170	   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
1171	              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018.

1173	   [Schneier2013]
1174	              Schneier, B., "Defending Against Crypto Backdoors",
1175	              October 2013.

1177	   [Shannon1949]
1178	              Shannon, C., "Communication Theory of Secrecy Systems",
1179	              1949.

1181	6.3.  URIs

1183	   [1] http://mathmesh.com/Documents/draft-hallambaker-mesh-trust.html

1185	Author's Address

1187	   Phillip Hallam-Baker

1189	   Email: phill@hallambaker.com