idnits 2.17.1 draft-hallambaker-mesh-trust-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack an Authors' Addresses Section. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (9 March 2020) is 1502 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Obsolete informational reference (is this intentional?): RFC 6962 (Obsoleted by RFC 9162) Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. M. Hallam-Baker 3 Internet-Draft ThresholdSecrets.com 4 Intended status: Informational 9 March 2020 5 Expires: 10 September 2020 7 Mathematical Mesh 3.0 Part VI: The Trust Mesh 8 draft-hallambaker-mesh-trust-05 10 Abstract 12 This paper extends Shannon's concept of a 'work factor' as applied to 13 evaluation of cryptographic algorithms to provide an objective 14 measure of the practical security offered by a protocol or 15 infrastructure design. Considering the hypothetical work factor 16 based on an informed estimate of the probable capabilities of an 17 attacker with unknown resources provides a better indication of the 18 relative strength of protocol designs than the computational work 19 factor of the best-known attack. 21 The social work factor is a measure of the trustworthiness of a 22 credential issued in a PKI based on the cost of having obtained the 23 credential through fraud at a certain point in time. Use of the 24 social work factor allows evaluation of Certificate Authority based 25 trust models and peer to peer (Web of Trust) models to be evaluated 26 in the same framework. The analysis demonstrates that both 27 approaches have limitations and that in certain applications, a 28 blended model is superior to either by itself. 30 The final section of the paper describes a proposal to realize this 31 blended model using the Mathematical Mesh. 33 [Note to Readers] 35 Discussion of this draft takes place on the MATHMESH mailing list 36 (mathmesh@ietf.org), which is archived at 37 https://mailarchive.ietf.org/arch/search/?email_list=mathmesh. 39 This document is also available online at 40 http://mathmesh.com/Documents/draft-hallambaker-mesh-trust.html. 42 Status of This Memo 44 This Internet-Draft is submitted in full conformance with the 45 provisions of BCP 78 and BCP 79. 47 Internet-Drafts are working documents of the Internet Engineering 48 Task Force (IETF). Note that other groups may also distribute 49 working documents as Internet-Drafts. The list of current Internet- 50 Drafts is at https://datatracker.ietf.org/drafts/current/. 52 Internet-Drafts are draft documents valid for a maximum of six months 53 and may be updated, replaced, or obsoleted by other documents at any 54 time. It is inappropriate to use Internet-Drafts as reference 55 material or to cite them other than as "work in progress." 57 This Internet-Draft will expire on 10 September 2020. 59 Copyright Notice 61 Copyright (c) 2020 IETF Trust and the persons identified as the 62 document authors. All rights reserved. 64 This document is subject to BCP 78 and the IETF Trust's Legal 65 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 66 license-info) in effect on the date of publication of this document. 67 Please review these documents carefully, as they describe your rights 68 and restrictions with respect to this document. 70 Table of Contents 72 1. Work Factor . . . . . . . . . . . . . . . . . . . . . . . . . 3 73 1.1. Computational Work Factor . . . . . . . . . . . . . . . . 3 74 1.2. Hypothetical Work Factor . . . . . . . . . . . . . . . . 4 75 1.3. Known Unknowns . . . . . . . . . . . . . . . . . . . . . 5 76 1.4. Defense in Depth . . . . . . . . . . . . . . . . . . . . 6 77 1.5. Mutual Reinforcement . . . . . . . . . . . . . . . . . . 7 78 1.6. Safety in Numbers . . . . . . . . . . . . . . . . . . . . 8 79 1.7. Cost Factor . . . . . . . . . . . . . . . . . . . . . . . 10 80 1.8. Social Work Factor . . . . . . . . . . . . . . . . . . . 12 81 1.8.1. Related work . . . . . . . . . . . . . . . . . . . . 14 82 2. The problem of trust . . . . . . . . . . . . . . . . . . . . 14 83 2.1. Existing approaches . . . . . . . . . . . . . . . . . . . 15 84 2.1.1. Trust After First Use (TAFU) . . . . . . . . . . . . 15 85 2.1.2. Direct Trust . . . . . . . . . . . . . . . . . . . . 16 86 2.1.3. Certificate Authority . . . . . . . . . . . . . . . . 16 87 2.1.4. Web of Trust . . . . . . . . . . . . . . . . . . . . 17 88 2.1.5. Chained notary . . . . . . . . . . . . . . . . . . . 18 89 2.1.6. A blended approach . . . . . . . . . . . . . . . . . 19 90 3. The Mesh of Trust . . . . . . . . . . . . . . . . . . . . . . 21 91 3.1. Master Profile . . . . . . . . . . . . . . . . . . . . . 21 92 3.2. Uniform Data Fingerprints . . . . . . . . . . . . . . . . 21 93 3.3. Strong Internet Names . . . . . . . . . . . . . . . . . . 22 94 3.4. Trust notary . . . . . . . . . . . . . . . . . . . . . . 23 95 3.5. Endorsement . . . . . . . . . . . . . . . . . . . . . . . 23 96 3.6. Evaluating trust . . . . . . . . . . . . . . . . . . . . 23 98 4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 24 99 5. Security Considerations . . . . . . . . . . . . . . . . . . . 24 100 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24 101 7. Normative References . . . . . . . . . . . . . . . . . . . . 24 102 8. Informative References . . . . . . . . . . . . . . . . . . . 24 104 1. Work Factor 106 Recent events have highlighted both the need for open standards-based 107 security protocols and the possibility that the design of such 108 protocols may have been sabotaged [Schneier2013]. We thus face two 109 important and difficult challenges, first to design an Internet 110 security infrastructure that offers practical security against the 111 class of attacks revealed, and secondly, to convince potential users 112 that the proposed new infrastructure has not been similarly 113 sabotaged. 115 The measure of a security of a system is the cost and difficulty of 116 making a successful attack. The security of a safe is measured by 117 the length time it is expected to resist attack using a specified set 118 of techniques. The security of a cryptographic algorithm against a 119 known attack is measured by the computational cost of the attack. 121 This paper extends Shannon's concept of a 'work factor' [Shannon1949] 122 to provide an objective measure of the security a protocol or 123 infrastructure offers against other forms of attack. 125 1.1. Computational Work Factor 127 The term 'Computational Work Factor' is used to refer to Shannon's 128 original concept. 130 One of Shannon's key insights was that the work factor of a 131 cryptographic algorithm could be exponential. Adding a single bit to 132 the key size of an ideal symmetric algorithm presents only a modest 133 increase in computational effort for the defender but doubles the 134 work factor for the attacker. 136 More precisely, the difficulty of breaking a cryptographic algorithm 137 is generally measured by the work-factor ratio. If the cost of 138 encrypting a block with 56-bit DES is _x_, the worst case cost of 139 recovering the key through a brute force attack is 2^(56)_x_. The 140 security of DES has changed over time because _x_ has fallen 141 exponentially. 143 While the work factor is traditionally measured in terms of the 144 number of operations, many cryptanalytic techniques permit memory 145 used to be traded for computational complexity. An attack requiring 146 2^(64)bytes of memory that reduces the number of operations required 147 to break a 128-bit cipher to 2^(64) is a rather lower concern than 148 one which reduces the number of operations to 2^(80). The term 149 'cost' is used to gloss over such distinctions. 151 The Computational Work Factor ratio WF-C (A) of a cryptographic 152 algorithm A, is the cost of the best-known attack divided by the cost 153 of the algorithm itself. 155 1.2. Hypothetical Work Factor 157 Modern cryptographic algorithms use keys of 128 bits or more and 158 present a work factor ratio of 2^(128) against brute force attack. 159 This work factor is at least 2^(72) times higher than DES and 160 comfortably higher than the work factor of 2^(80)operations that is 161 generally believed to be the practical limit to current attacks. 163 Though Moore's law has delivered exponential improvements in 164 computing performance over the past four decades, this has been 165 achieved through continual reductions in the minimum feature size of 166 VLSI circuits. As the minimum feature size rapidly approaches the 167 size of individual atoms, this mechanism has already begun to stall 168 [Intel2018]. 170 While an exceptionally well-resourced attacker may gain performance 171 advances through use of massive parallelism, faster clock rates made 172 possible by operating at super-low temperatures and custom designed 173 circuits, the return on such approaches is incremental rather than 174 exponential. 176 Performance improvements may allow an attacker to break systems with 177 a work factor several orders of magnitude greater than the public 178 state of the art. But an advance in cryptanalysis might permit a 179 potentially more significant reduction in the work factor. 181 The primary consideration in the choice of a cryptographic algorithm 182 therefore is not the known computational work factor as measured 183 according to the best publicly known attack but the confidence that 184 the computational work factor of the best attack that might be known 185 to the attacker. 187 While the exact capabilities of the adversary are unknown, a group of 188 informed experts may arrive at a conservative estimate of their 189 likely capabilities. In particular, it is the capabilities of 190 nation-state actors that generally give rise to greatest concern in 191 security protocol design. In this paper we refer to this set of 192 actors as _nation-state class_ adversaries in recognition of the fact 193 that certain technology companies posses computing capabilities that 194 rival if not exceed those of the largest state actors and those 195 capabilities could at least in theory be co-opted for other purposes 196 in certain circumstances. 198 The probability that a nation-state class has discovered an attack 199 against AES-128 with a work factor ratio of 2^(120) might be 200 considered relatively high while the probability that an attack with 201 a work factor ratio of less than 2^(64) is very low. 203 We define the hypothetical work factor function WF-H (A, p) as 204 follows: If WF is a work factor ratio and p is an informed estimate 205 of the probability that an adversary has developed an attack with a 206 work factor ratio against algorithm A of WF or less then WF-H (A, p) 207 = WF. 209 Since the best-known public attack is known to the attacker, WF-H (A, 210 1) = WF_(C) (A) 212 The inverse function WF-H' (A, WF) returns the estimated probability 213 that the work factor of algorithm A is at least WF. 215 The hypothetical work factor and its inverse may be used to compare 216 the relative strengths of protocol designs. Given designs A and B, 217 we can state that B is an improvement on A if WF-H (A,p) > WF-H (B,p) 218 for all p. 220 When considering a protocol or infrastructure design we can thus 221 improve a protocol by either: 223 * Increasing WF-H (A,p) for some p, or 225 * Decreasing WF-H '(A,WF) 227 1.3. Known Unknowns 229 Unlike the computational work factor, the hypothetical work factor 230 does not provide an objective measure of the security offered by a 231 design. The purpose of the hypothetical work factor is to allow the 232 protocol designer to compare the security offered by different design 233 choices. 235 The task that the security engineer faces is to secure the system 236 from all attacks whether the attacks themselves are known or unknown. 237 In the current case it is known that an attacker is capable of 238 breaking at least some of the cryptographic algorithms in use. But 239 not which algorithms are affected or the nature of the attack(s). 241 Unlike the computational work factor, the hypothetical work factor 242 does not deliver an academically rigorous, publication and citation 243 worthy measure of the strength of a design. That is not its purpose. 244 the purpose of the hypothetical work factor is to assist the protocol 245 designer in designing protocols. 247 Design of security protocols has always required the designer to 248 consider attackers whose capabilities are not currently known and 249 thus involved a considerable degree of informed opinion and 250 guesswork. Whether correctly or not, the decision to reject changes 251 to the DNSSEC protocol to enable deployment in 2002 rested in part on 252 a statement by a Security Area Director that a proposed change gave 253 him 'a bad feeling in his gut'. The hypothetical work factor permits 254 the security designer to model to quantify such intestinally based 255 assumptions and model the effect on the security of the resulting 256 design. 258 Security is a property of systems rather than individual components. 259 While it is quite possible that there are no royal roads to 260 cryptanalysis and cryptanalysis of algorithms such as AES 128 is 261 infeasible even for the nation state class adversaries, such 262 adversaries are not limited to use of cryptanalytic attacks. 264 Despite the rise of organized cyber-crime, many financial systems 265 still employ weak cryptographic systems that are known to be 266 vulnerable to cryptanalytic attacks that are well within the 267 capabilities of the attackers. But fraud based on such techniques 268 remains vanishingly rare as it is much easier for the attackers to 269 persuade bank customers to simply give their access credentials to 270 the attacker. 272 Even if a nation-state class attacker has a factoring attack which 273 renders an attack on RSA-2048 feasible, it is almost certainly easier 274 for a nation-state class attacker to compromise a system using 275 RSA-2048 in other ways. For example, persuading the target of the 276 surveillance to use cryptographic devices with a random number 277 generator that leaks a crib for the attacker. Analyzing the second 278 form of attack requires a different type of analysis which is 279 addressed in the following section on social work factor. 281 1.4. Defense in Depth 283 The motivation behind introducing the concept of the hypothetical 284 work factor is a long experience of seeing attempts to make security 285 protocols more robust being deflected by recourse to specious 286 arguments based on the computational work factor. 288 For example, consider the case in which a choice between a single 289 security control and a defense in depth strategy is being considered: 291 * Option A: Uses algorithm X for protection. 293 * Option B: Uses a combination of algorithm X and algorithm Y for 294 protection such that the attacker must defeat both to break the 295 system and algorithms based on different cryptographic principles 296 are chosen so as to minimize the risk of a common failure mode. 298 If the computational work factor for both algorithms X and Y is 299 2^(128), both options present the same work factor ratio. Although 300 Option B offers twice the security, it also requires twice the work. 302 The argument that normally wins is that both options present the same 303 computational work factor ratio of 2^(128), Option A is simpler and 304 therefore Option A should be chosen. This despite the obvious fact 305 that only Option B offers defense in depth. 307 If we consider the adversary of being capable of performing a work 308 factor ratio of 2^(80) and the probability the attacker has 309 discovered an attack capable of breaking algorithms X and Y to be 10% 310 in each case, the probability that the attacker can break Option A is 311 10% while the probability that an attack on Option B is only 1%, a 312 significant improvement. 314 While Option B clearly offers a significant potential improvement in 315 security, this improvement is only fully realized if the 316 probabilities of a feasible attack are independent. 318 1.5. Mutual Reinforcement 320 The defense in depth approach affords a significant improvement in 321 security but an improvement that is incremental rather than 322 exponential in character. With mutual reinforcement we design the 323 mechanism such that in addition to requiring the attacker to break 324 each of the component algorithms, the difficulty of the attacks is 325 increased. 327 For example, consider the use of a Deterministic Random Number 328 Generator R(s,n) which returns a sequence of values R(s,1), R(s,2)... 329 from an initial seed s. 331 Two major concerns in the design of such generators are the 332 possibility of bias and that the seed value be somehow leaked through 333 a side channel. 335 Both concerns are mitigated if instead of using the output of one 336 generator directly, two independent random number generators with 337 distinct seeds are used. 339 For example, consider the use of the value R1(s1,n) XOR R2(s2,n) 340 where R1(s,n) and R2(s,n) are different random number generation 341 functions and s1, s2 are distinct seeds. 343 The XOR function has the property of preserving randomness so that 344 the output is guaranteed to be at least as random as either of the 345 generators from which it is built (provided that there is not a 346 common failure mode). Further, recovery of either random seed is at 347 least as hard as using the corresponding generator on its own. Thus, 348 the Hypothetical work factor for the combined system is improved to 349 at least the same extent as in the defense in depth case. 351 But any attempt to break either generator must now face the 352 additional complexity introduced by the output being masked with the 353 unknown output of the other. An attacker cannot cryptanalyze the two 354 generator functions independently. If the two generators and the 355 seeds are genuinely independent, the combined hypothetical work 356 factor is the product of the hypothetical work factors from which it 357 is built. 359 While implementing two independent generators and seeds represents a 360 significant increase in cost for the implementer, a similar 361 exponential leverage might be realized with negligible additional 362 complexity through use of a cryptographic digest of the generator 363 output to produce the masking value. 365 1.6. Safety in Numbers 367 In a traditional security analysis, the question of concern is 368 whether a cryptanalytic attack is feasible or not. When considering 369 an indiscriminate intercept capability as in a nation-state class 370 attack, the concern is not just whether an individual communication 371 might be compromised but the number of communications that may be 372 compromised for a given amount of effort. 374 'Perfect' Forward Secrecy is an optional feature supported in IPSec 375 and TLS. In 2008, implementations of TLS/1.2 [RFC6246] purported to 376 offer a choice between: 378 Direct key exchange with a work factor dependent on the difficulty of 379 breaking RSA 2048 381 Direct key exchange followed by a perfect forward secrecy exchange 382 with a work factor dependent on the difficulty of breaking both RSA 383 2048 and DH 1024. 385 Using the computational work factor alone suggests that the second 386 scheme has little advantage over the first since the computational 387 work factor of Diffie Hellman using the best-known techniques 2^(80) 388 while the computational work factor for RSA 2048 is 2^(112). Use of 389 the perfect forward secrecy exchange has a significant impact on 390 server performance but does not increase the difficulty of 391 cryptanalysis. 393 Use of perfect forward secrecy with a combination of RSA and Diffie 394 Hellman does not provide a significant improvement in the 395 hypothetical work factor either if individual messages are 396 considered. The RSA and Diffie Hellman systems are closely related 397 and so an attacker that can break RSA 2048 can almost certainly break 398 RSA 1024. Moreover, computational work factor for DH 1024 is only 399 2^(80) and thus feasibly within the reach of a well-funded and 400 determined attacker. 402 According to the analysis informally applied during design, use of 403 perfect forward secrecy does provide an important security benefit 404 when multiple messages are considered. While a sufficiently funded 405 and determined attacker could conceivably break tens, hundreds or 406 even thousands of DH 1024 keys a year, it is rather less likely that 407 an attacker could break millions a year. The OCSP servers operated 408 by Comodo CA receive over 2 billion hits a day and this represents 409 only a fraction of the number of uses of TLS on the Internet. Use of 410 perfect forward secrecy does not prevent an attacker from decrypting 411 any particular message but raises the cost of indiscriminate 412 intercept and decryption. 414 Unfortunately, this analysis is wrong because the TLS key exchange 415 does not achieve a work factor dependent on the difficulty of 416 breaking both RSA 2048 and DH 1024. The pre-master secret 417 established in the initial RSA 2048 exchange is only used to 418 authenticate the key exchange process itself. The session keys used 419 to encrypt content are derived from the weaker ephemeral key 420 exchange, the parameters of which are exchanged in plaintext. Due to 421 this defect in the design of the protocol, the Work Factor of the 422 protocol is the work factor of DH1024 alone. 424 Nor does the use of Diffie Hellman in this fashion provide security 425 when multiple messages are exchanged. The Logjam attack [Adrian2015] 426 exploits the fact that the difficulty of breaking the discrete 427 logarithm involves four major steps, the first three of which are the 428 most computationally intensive and only depend on the shared group 429 parameters. The cost of breaking a hundred Diffie Hellman public 430 keys is not a hundred times the cost of breaking a single key, there 431 is almost no difference. 433 Work factor analysis exposes these flaws in the design of the 434 TLS/1.2. Since the session keys used to encrypt traffic do not 435 depend on knowing the secret established in the RSA2048 exchange, the 436 work factor of the protocol is the lesser of 2^(80) and 2^(112). 438 A simple means of ensuring that the work factor of a protocol is not 439 reduced by a fresh key exchange is to use a one-way function such as 440 a cryptographic digest or a key exchange to combine the output of the 441 prior exchange with its successor. This principle is employed in the 442 double ratchet algorithm [Ratchet] used in the Signal protocol. In 443 the Mesh, the HKDF Key Derivation function [RFC5869] is frequently 444 used for the same purpose. 446 The work factor downgrade issue was addressed in TLS/1.3 [RFC8446] 447 albeit in a less direct fashion by encrypting the ephemeral key 448 exchange. 450 1.7. Cost Factor 452 As previously discussed, cryptanalysis is not the only tool available 453 to an attacker. Faced with a robust cryptographic defense, Internet 454 criminals have employed 'social engineering' instead. A nation-state 455 class attacker may use any and every tool at their disposal including 456 tools that are unique to government backed adversaries such as the 457 threat of legal sanctions against trusted intermediaries. 459 Although attackers can and will use every tool at their disposal, 460 each tool carries a cost and some tools require considerable advance 461 planning to use. It is conceivable that the AES standard published 462 by NIST contains a backdoor that somehow escaped the extensive peer 463 review. But any such effort would have had to have begun well in 464 advance of 1998 when the Rijndael cipher was first published. 466 Nation-state class actors frequently rely for security on the same 467 infrastructures that they are attempting to attack. Thus, the 468 introduction of vulnerabilities that might also be exploited by the 469 opposition incurs a cost to both. This concern is recognized in the 470 NSA 'NOBUS' doctrine: Nobody but us. To introduce a vulnerability in 471 a random number generator that can only be exploited by a party that 472 knows the necessary private key is acceptable. But introducing a 473 vulnerability that depends on the use of an unpublished cryptanalytic 474 technique is not because that same technique might be discovered by 475 the opposition. 477 Subversion of cryptographic apparatus such as Hardware Security 478 Modules (HSMs) and SSL accelerators faces similar constraints. HSMs 479 may be compromised by an adversary but the compromise must have taken 480 place before the device was manufactured or serviced. 482 Just as computational attacks are limited by the cryptanalytic 483 techniques known to and the computational resources available to the 484 attacker, social attacks are limited by the cost of the attack and 485 the capacity of the attacker. 487 The Cost Factor C(t) is an estimate of the cost of performing an 488 attack on or before a particular date in time (t). 490 For the sake of simplicity, currency units are used under the 491 assumption that all the resources required are fungible and that all 492 attackers face the same costs. But such assumptions may need to be 493 reconsidered when there is a range of attackers with very different 494 costs and capabilities. A hacktivist group could not conceivably 495 amass the computational and covert technical resources available to 496 the NSA but such a group could in certain circumstances conceivably 497 organize a protest with a million or more participants while the 498 number of NSA employees is believed to still be somewhat fewer. 500 The computational and hypothetical work factors are compared against 501 estimates of the computational resources of the attacker. An attack 502 is considered to be infeasible if that available computational 503 resources do not allow the attack to be performed within a useful 504 period of time. 506 The cost factor is likewise compared against an incentive estimate, 507 I(t) which is also time based. 509 * An attack is considered to be productive for an attacker if there 510 was a time t for which I(t) > C(t). 512 * An attack is considered to be unproductive if there is no time at 513 which it was productive for that attacker. 515 Unlike Cost Factor for which a lower bound based on the lowest cost 516 and highest capacity may be usefully applied to all attackers, 517 differences in the incentive estimate between attackers are likely to 518 be very significant. Almost every government has the means to 519 perform financial fraud on a vast scale but only rarely does a 520 government have the incentive. When governments do engage in 521 activities such as counterfeiting banknotes this has been done for 522 motives beyond mere peculation. 524 While government actors do not respond to the same incentives as 525 Internet criminals, governments fund espionage activities in the 526 expectation of a return on their investment. A government agency 527 director who does not produce the desired returns is likely to be 528 replaced. 530 For example, when the viability of SSL and the Web PKI for protecting 531 Internet payments was considered in the mid-1990s, the key question 532 was whether the full cost of obtaining a fraudulently issued 533 certificate would exceed the expected financial return where the full 534 cost is understood to include the cost of registering a bogus 535 corporation, submitting the documents and all the other activities 536 that would be required if a sustainable model for payments fraud was 537 to be established. 539 For an attack to be attractive to an attacker it is not just 540 necessary for it to be productive, the time between the initial 541 investment and the reward and the likelihood of success are also 542 important factors. An attack that requires several years of advance 543 planning is much less attractive than an attack which returns an 544 immediate profit. 546 An attack may be made less attractive by 548 * Increasing the cost 550 * Reducing the incentive 552 * Reducing the expected gain 554 * Reducing the probability that the incentive will be realized 556 * Increasing the time between the initial investment and the return. 558 Most real-world security infrastructures are based on more than one 559 of these approaches. The WebPKI is designed to increase the cost of 560 attack by introducing validation requirements and reduce the expected 561 gain through its revocation infrastructure. 563 1.8. Social Work Factor 565 In the cost factor analysis, it is assumed that all costs are 566 fungible, and the attack capacity of the attacker is only limited by 567 their financial resources. Some costs are not fungible however, in 568 particular inducing a large number of people to accept a forgery 569 without the effort being noticed requires much more than a limitless 570 supply of funds. 572 In a computational attack an operation will at worst fail to deliver 573 success. There is no penalty for failure beyond having failed to 574 succeed. When attempting to perpetuate a fraud on the general 575 public, every attempt carries a risk of exposure of the entire 576 scheme. When attempting to perform any covert activity, every 577 additional person who is indoctrinated into the conspiracy increases 578 the chance of exposure. 580 The totalitarian state envisioned by George Orwell in 1984 was only 581 plausible because each and every citizen is coerced to act as a party 582 to the conspiracy. The erasure and replacement of the past was 583 possible because the risk of exposure was nil. 585 In 2011, I expressed concern to a retired senior member of the NSA 586 staff that the number of contractors being hired to perform cyber- 587 sabotage operations represented a security risk and might be creating 588 a powerful constituency with an interest in the aggressive 589 militarization of cyberspace rather than preparing for its defense. 590 Subsequent disclosures by Robert Snowden have validated the 591 disclosure risk aspect of these concerns. Empirically, the NSA, an 592 organization charged with protecting the secrecy of government 593 documents, was unable to maintain the secrecy of their most important 594 secrets when the size of the conspiracy reached a few ten thousand 595 people. 597 The community of commercial practitioners of cryptographic 598 information security is small in size but encompasses many 599 nationalities. Many members of the community are bound by 600 ideological commitments to protecting personal privacy as an 601 unqualified moral objective. 603 Introducing a backdoor into a HSM, application or operating system 604 platform requires that every person with access to the platform 605 source or who might be called in to audit the code be a party to the 606 conspiracy. Tapping the fiber optic cables that support the Internet 607 backbone requires only a small work crew and digging equipment. 608 Maintaining a covert backdoor in a major operating system platform 609 would require hundreds if not thousands of engineers to participate 610 in the conspiracy. 612 The Social Work Factor WF_(S)(t) is a measure of the cost of 613 establishing a fraud in a conspiracy starting at date t. The cost is 614 measured in the number of actions that the party perpetrating the 615 fraud must perform that carry a risk of exposure. 617 In general, the Social Work Factor will increase over time. 618 Perpetrating a fraud claiming that the Roman emperor Nero never 619 existed today would require that millions of printed histories be 620 erased and rewritten, every person who has ever taught or taken a 621 lesson in Roman history would have to participate in the fraud. The 622 Social Work Factor would be clearly prohibitive. 624 The Social Work Factor in the immediate aftermath of Nero's 625 assassination in 68 would have been considerably lower. While the 626 emperor Nero was obviously not erased from history, this did happen 627 to Akhenaten, an Egyptian pharaoh of the 18^(th) dynasty whose 628 monuments were dismantled, statues destroyed, and his name erased 629 from the lists of kings. 631 1.8.1. Related work 633 It has not escaped the notice of the author that the social work 634 factor might be applied as a general metric for assessing the 635 viability of a conspiracy hypothesis. 637 Applying social work factor analysis to the moon landing conspiracy 638 theory we note that almost all of the tens of thousands of NASA 639 employees who worked on the Apollo project would have had to be a 640 part of the conspiracy and so would an even larger number of people 641 who worked for NASA contractors. The cost of perpetrating the hoax 642 would have clearly exceeded any imaginable benefit while the risk of 643 the hoax being exposed would have been catastrophic. 645 2. The problem of trust 647 Traditional (symmetric key) cryptography allows two parties to 648 communicate securely provided they both know a particular piece of 649 information known as a _key_ that must be known to encrypt or decrypt 650 the content. Public Key cryptography proposed by Diffie and Hellman 651 [Diffie76] provides much greater flexibility by using separate keys 652 for separate roles such that it is possible to do one without being 653 able to do the other. In a public key system, an encryption key 654 allows information to be encrypted but not to be decrypted. That 655 role can only be performed using the corresponding decryption key. 657 The Mathematical Mesh recryption services further extend the 658 capabilities of traditional public key infrastructures by further 659 partitioning of the roles associated with the private key. In the 660 Mesh, this capability is referred to as 'recryption' as it was 661 originally conceived of as being a form of Proxy Re-encryption as 662 described by Blaze et. al. but it might equally well be considered as 663 realizing distributed key generation as described by Pedersen. A 664 decryption key is split into two or more parts such that both parts 665 must be involved to complete a private key operation. These parts 666 are then distributed to separate parties, thus achieving 667 cryptographic enforcement of a separation of duties. 669 Public key cryptography allows many (but certainly not all) 670 information security concerns to be reduced to management of 671 cryptographic keys. If Alice knows the Bob's encryption key, she can 672 send Bob an encrypted message that only he can read. If Bob knows 673 Alice's signature key, Bob can verify that a digital signature on the 674 message really was created by Alice. 676 A Public Key Infrastructure (PKI) is a combination of technologies, 677 practices and services that support the management of public key 678 pairs. In particular, if Alice does not know Bob's public key, any 679 infrastructure that is designed to provide her with this information 680 may be regarded as a form of PKI. 682 The big challenge faced in the design, deployment of operation of a 683 PKI is that while Alice and Bob can communicate with perfect secrecy 684 if they use each other's actual public keys, they will have worse 685 than no security if an attacker can persuade them to use keys they 686 control instead. One of the chief concerns in PKI therefore is to 687 allow users to assess the level of risk they face, a quality known as 688 _trust_. 690 2.1. Existing approaches 692 Few areas of information security have engaged so much passionate 693 debate or diverse proposals as PKI architecture. Yet despite the 694 intensity of this argument the state of deployment of PKI in the 695 Internet has remained almost unchanged. 697 TLS and SSH, the only Internet security protocols that have 698 approached ubiquity both operate at the transport layer. The use of 699 IPSEC is largely limited to providing VPN access. DNSSEC remains a 700 work in progress. Use of end-to-end secure email messaging is 701 negligible and shows no sign of improvement as long as competition 702 between S/MIME and OpenPGP remains at a stalemate in which one has a 703 monopoly on mindshare and the other a monopoly on deployment. 705 2.1.1. Trust After First Use (TAFU) 707 Trust After First Use is a simple but often effective form of PKI. 708 Instead of trying to verify each other's public key the first time 709 they attempt to communicate, the parties record the public key 710 credentials presented in their first interaction and check that the 711 same credentials are presented in subsequent transactions. While 712 this approach does not absolutely guarantee that 'Alice' is really 713 talking to 'Bob', as the conversation continues over hours, months or 714 even years, they are both assured that they are talking to the same 715 person. 717 2.1.2. Direct Trust 719 In the direct trust model, credentials are exchanged in person. The 720 exchange may be of the actual public key itself or by means of a 721 'fingerprint' which is simply a means of formatting a cryptographic 722 digest of the key to the user. 724 Use of direct trust is robust and avoids the need to introduce any 725 form of trusted third party. It is also limited for the obvious 726 reason that it is not always possible for users to meet in person. 727 For this reason, protocols that attempt to offer a direct trust model 728 often turn out to be being used in trust-after-first-use mode in 729 practice when the behavior of users is examined. 731 2.1.3. Certificate Authority 733 The archetype of what is generally considered to be 'PKI' was 734 introduced in Kohnfelder's 1978 Msc. Thesis [Kohnfelder78]. A 735 Certificate Authority (CA)whose signature key is known to all the 736 participants issues certificates binding the user's public key to 737 their name and/or contact address(es). 739 This approach forms the basis of almost every widely deployed PKI 740 including the EMV PKI that support smart card payments, the CableLabs 741 PKI that supports the use of set top boxes to access copyright 742 protected content and the WebPKI mentioned earlier that supports the 743 use of TLS in online commerce. 745 One area in which the CA model has not met with widespread success is 746 the provision of end-to-end secure email described in the original 747 paper. Despite the fact that S/MIME secure email has been supported 748 by practically every major email client for over 20 years, only a 749 small number of users are aware that email encryption is supported 750 and even fewer user it on a regular basis. 752 One of the reasons for this lack of uptake is the lack of uptake 753 itself. Until a critical mass of users is established, the network 754 effect presents as the chicken and egg problem. Another reason for 755 the failure is the sheer inconvenience use of S/MIME presents to the 756 user. Obtaining, installing and maintaining certificates requires 757 significant user effort and knowledge. But even if these obstacles 758 are addressed (as the Mesh attempts to do), as far as the open 759 Internet is concerned, S/MIME provides little or no benefit over a 760 direct trust model because there is no equivalent of the WebPKI for 761 email. 763 Most CAs that operate WebPKI services also offer S/MIME PKI services, 764 but these are seldom used except by enterprises and government 765 agencies where certificates are usually issued for internal use only. 767 One of the chief difficulties in establishing a MailPKI analogous to 768 the WebPKI is the difficulty of establishing a set of validation 769 requirements that are cost effective to users and present a 770 meaningful social work factor to attackers. 772 When VeriSign began operating the first Internet CA, two classes of 773 email certificate were offered that have since become a de facto 774 industry standard: 776 Class 1: The CA verified that the subject applying for the 777 certificate could read email sent to the address specified in the 778 certificate. 780 Class 2: The requirements of class 1 plus the requirement that the 781 certificate be issued through a Registration Authority that had 782 been separately determined to meet the considerably more stringent 783 validation requirements for organizations specified in class 3 and 784 in particular, demonstrated ownership of the corresponding domain 785 name. 787 Class 2 certificates were designed to be issued by organizations to 788 their employees and arguably present a more than adequate social work 789 factor to prevent most forms of attack. S/MIME certificates are in 790 daily use to secure very sensitive communications relating to very 791 high value transactions. But this represents a niche application of 792 what was intended to be a ubiquitous infrastructure that would 793 eventually secure every email communication. 795 The only type of certificate that the typical Internet user can 796 obtain is class 1 which at best offers a small improvement on social 797 work factor over Trust After First Use. 799 2.1.4. Web of Trust 801 The concept of the Web of Trust was introduced by Zimmerman with the 802 launch of PGP. It represents the antithesis of the hierarchical CA 803 model then being proposed for the Privacy Enhance Mail scheme being 804 considered by the IETF at the time. A core objection to this model 805 was the fact that users could only communicate securely by obtaining 806 a certificate from a CA. The goal of PGP was to democratize the 807 process by making every user a trust provider. 809 Like S/MIME, OpenPGP protocol has achieved some measure of success 810 but has fallen far short of its original goal of becoming ubiquitous 811 and almost none of the users have participated in the Web of Trust. 813 One of the chief technical limitations of the Web of Trust is that 814 trust degrades over distance. An introduction from a friend of a 815 friend has less value than one from a friend. As the number of users 816 gets larger, the chains of trust get longer, and the trustworthiness 817 of the link becomes smaller. 819 Another limitation is that as is fitting for a concept launched at 820 the high tide of postmodernism, the trust provided is inherently 821 relative. Every user has a different view of the Web of Trust and 822 thus a different degree of trust in the other users. This makes it 823 impossible for a commercial service to offer to navigate the Web of 824 Trust on a user's behalf. 826 2.1.5. Chained notary 828 The rise of BitCoin [Bitcoin] and the blockchain technology on which 829 it is based have given rise to numerous proposals that make use of a 830 tamper-evident notary as either the basis for a new PKI (e.g. 831 NameCoin [Namecoin]) or to provide additional audit controls for an 832 existing PKI (e.g. Certificate Transparency [RFC6962]). 834 The principle of making a digital notary service tamper-evident by 835 means of combining each output of the notary with the input of its 836 successor using a cryptographic digest was proposed in 1991 by Haber 837 and Stornetta [Haber91]. Every output of the notary depends on every 838 one of the previous inputs. Thus, any attempt to modify an input 839 will cause every subsequent output to be invalidated. 841 Notaries operating according to these principles can quickly achieve 842 prohibitively high social work factors by simply signing their output 843 values at regular intervals and publishing a record of the signed 844 values. Any attempt by the notary to tamper with the log will 845 produce a non-repudiable proof of the defection. Thus once an input 846 value is enrolled in a chained notary, the social work factor for 847 modifying that input subsequent to that becomes the same as the 848 social work factor for subverting the notary and every party that has 849 a record of the signed outputs of that notary. 851 Enrolling the signed outputs of one notary as an input to another 852 independently operated notary establishes a circumstance in which it 853 is not possible for one notary to defect unless the other does as 854 well. Applying the same principle to a collection of notaries 855 establishes a circumstance in which it is not possible for any notary 856 to defect without that defection becoming evident unless every other 857 notary also defects. If such infrastructures are operated in 858 different countries by a variety of reputable notaries, the social 859 work factor of modifying an input after it is enrolled may be 860 considered as to rapidly approach infinity. 862 One corollary of this effect is that just as there is only one global 863 postal system, one telephone system and one Internet, convergence of 864 the chained notary infrastructure is also inevitable. Users seeking 865 the highest possible degree of tamper evidence will seek out notaries 866 that cross notarize with the widest and most diverse range of other 867 notaries. I propose a name for this emergent infrastructure, the 868 Internotary. 870 According to the image presented in the popular press, it is the 871 minting of new cryptocurrency that provides stability to the 872 distributed leger at the heart of BitCoin, Etherium and their many 873 imitators. The fact that notaries that do not require proof of work, 874 proof of stake or any other form of seigniorage offer the same social 875 work factor (effectively infinite) as those that do demonstrates that 876 it is not necessary to consume nation-state level quantities of 877 electricity to operate such infrastructures. 879 The attraction of employing such notaries in a PKI system is that the 880 social work factor to forge a credential prior to a date that has 881 already been notarized as past is infinite. It is obvious that 882 almost none of the thousands of OpenPGP keys registered with the key 883 server infrastructure for 'Barack Obama' are genuine and so all the 884 registered keys are untrustworthy. But if it was known that one 885 particular key had been registered in the 1980s, before Obama had 886 become a political leader, that particular key would be considerably 887 more trustworthy than the rest. 889 The use of chained notaries may be viewed as providing a distributed 890 form of Trust After First Use. The first use event in this case is 891 the enrollment of the event in the notary. Instead of Alice having 892 to engage in separate first use events with Bob, Carol, Doug and 893 every other user she interacts with, a single first use event with 894 the internotary supports all her existing and future contacts. 896 2.1.6. A blended approach 898 As we have seen, different PKI architectures have emerged to serve 899 different communities of use by offering different forms of trust. 900 The trust provided by the OpenPGP and S/MIME PKIs to the communities 901 they serve is distinct. The S/MIME PKI does not provide a useful 902 means of establishing a trusted relationship in a personal capacity. 903 The OpenPGP PKI is not appropriate for establishing a trust 904 relationship in an enterprise capacity. Yet despite this obvious 905 difference in capabilities, there has been no convergence between 906 these competing approaches in the past two decades. 908 The only convergence in approach that has developed over this period 909 is within the applications that rely on PKI. Most SSH clients and 910 servers make provision for use of CA issued certificates for 911 authentication. Most email clients may be configured to support 912 OpenPGP in addition to S/MIME. 914 While offering the choice of CA issued, direct trust or Web of Trust 915 credentials is better than insisting on the use of the one, true PKI, 916 this approach is less powerful than a blended approach allowing the 917 user to make use of all of them. 919 In the blended approach, every user is a trust provider and can 920 provide endorsements to other user and some (but not necessarily all) 921 users have CA issued certificates. 923 This approach follows the same patterns that have been applied in the 924 issue of government credentials for centuries. In many countries, 925 passport applications must be endorsed by either a member of a 926 profession that has frequent interaction with the public (e.g. 927 doctors, lawyers and clerics), a licensed and registered set of 928 public notaries or both. 930 Analysis of the blended approach in terms of work factor reveals the 931 surprising result that it can achieve a higher social work factor 932 than either the CA model alone or the Web of Trust model alone. 934 Consider the case that Alice and Bob have each obtained a certificate 935 that presents a Social Work Factor of $10. Applying the CA model in 936 isolation, $10 is the limit to the SFW that can be achieved. But if 937 Alice and Bob were to meet and exchange endorsements, the SFW may be 938 increased by up to $10. If the exchange of endorsements is made in 939 person by means of some QR code mediated cryptographic protocol, we 940 might reasonably ascribe a SWF of $20 to each credential. 942 This higher SWF can now be used to evaluate the value of endorsements 943 issued by Alice and Bob to user Carol and of Carol to Doug, neither 944 of whom has a CA issued certificates. While the SWF of Carol is 945 certainly less than $20 and the SWF or Doug is even lower, it is 946 certainly greater than $0. 948 While these particular values are given for the sake of example, it 949 is clearly the case that as with the WebPKI, the blended approach 950 permits trust to be quantified according to objective criteria even 951 if the reliability of the values assigned remains subjective. The 952 Google Page Rank algorithm did not have to be perfect to be useful 953 and just as the deployment of the Web spurred the development of 954 engines offering better and more accurate search engines, deployment 955 of blended PKI may be reasonably be expected to lead to the 956 development of better and more accurate means of evaluating trust. 958 The power of the blended approach is that it provides the reach of 959 the Web of Trust model with the resilience of the CA model while 960 permitting a measurable improvement in work factor over both. 962 Combining the blended trust model with the internotary model allows 963 these SWF values to be fixed in time. It is one thing for an 964 attacker to spend $100 to impersonate the President of the United 965 States. It is quite another for an attacker to spend $100 per target 966 on every person who might become President of the United States in 20 967 years' time. 969 3. The Mesh of Trust 971 The purpose of the Mathematical Mesh is to put the user rather than 972 the designer in control of their trust infrastructure. To this end, 973 the Mesh supports use of any credential issued by any form of PKI and 974 provides a means of using these credentials in a blended model. 976 3.1. Master Profile 978 The Mesh provides an infrastructure that enables a user to manage all 979 the cryptographic keys and other infrastructure that are necessary to 980 provide security. 982 A Mesh master profile is the root of trust for each user's personal 983 PKI. By definition, every device, every application key that is a 984 part of user's personal Mesh profile is ultimately authenticated 985 either directly or indirectly by the signature key published in the 986 master profile. 988 Unlike user keys in traditional PKIs, a Mesh master profile is 989 designed to permit (but not require) life long use. A Master profile 990 can be revoked but does not expire. It is not possible to change the 991 signature key in a master profile. Should a compromise occur, a new 992 master profile must be created. 994 3.2. Uniform Data Fingerprints 996 Direct trust in the Mesh is realized through use of Uniform Data 997 Fingerprints (UDF) [draft-hallambaker-mesh-udf]. A UDF consists of a 998 cryptographic digest (e.g. SHA-2-512) over a data sequence and a 999 content type identifier. 1001 UDFs are presented as a Base32 encoded sequence with separators every 1002 25 characters. UDFs may be presented at different precisions 1003 according to the intended use. The 25-character presentation 1004 provides a work factor of 2^(117) and is short enough to put on a 1005 business card or present as a QR code. The 50-character presentation 1006 provides a work factor of 2^(242) and is compact enough to be used in 1007 a configuration file. 1009 For example, the UDF of the text/plain sequence "UDF Data Value" may 1010 be presented in either of the following forms: 1012 MDDK7-N6A72-7AJZN-OSTRX-XKS7D 1013 MDDK7-N6A72-7AJZN-OSTRX-XKS7D-JAFXI-6OZSL-U2VOA-TZQ6J-MHPTS 1015 The UDF of a user's master profile signature key is used as a 1016 persistent, permanent identifier of the user that is unique to them 1017 and will remain constant for their entire life unless they have 1018 reason to replace their master profile with a new one. The exchange 1019 of master profile UDFs is the means by which Mesh users establish 1020 direct trust. 1022 3.3. Strong Internet Names 1024 A Strong Internet name (SIN) [draft-hallambaker-mesh-udf] is a valid 1025 Internet address that contains a UDF fingerprint of a security policy 1026 describing interpretation of that name. 1028 While a SIN creates a strong binding between an Internet address and 1029 a security policy, it does not provide a mechanism for discovery of 1030 the security policy. Nor is it necessarily the case that this is 1031 publicly available. 1033 For example, Example Inc holds the domain name example.com and has 1034 deployed a private CA whose root of trust is a PKIX certificate with 1035 the UDF fingerprint MB2GK-6DUF5-YGYYL-JNY5E-RWSHZ. 1037 Alice is an employee of Example Inc., she uses three email addresses: 1039 For example, Example Inc holds the domain name example.com and has 1040 deployed a private CA whose root of trust is a PKIX certificate with 1041 the UDF fingerprint MB2GK-6DUF5-YGYYL-JNY5E-RWSHZ. 1043 Alice is an employee of Example Inc., she uses three email addresses: 1045 alice@example.com A regular email address (not a SIN). 1047 alice@mm--mb2gk-6duf5-ygyyl-jny5e-rwshz.example.com A strong email 1048 address that is backwards compatible. 1050 alice@example.com.mm--mb2gk-6duf5-ygyyl-jny5e-rwshz A strong email 1051 address that is backwards incompatible. 1053 Use of SINs allows the use of a direct trust model to provide end-to- 1054 end security using existing, unmodified email clients and other 1055 Internet applications. 1057 For example, Bob might use Microsoft Outlook 2019, an email 1058 application that has no support for SINs as his email client. He 1059 configures Outlook to direct outbound mail through a SIN-aware proxy 1060 service. When Bob attempts to send mail to a strong email address 1061 for Alice, the proxy recognizes that the email address is a SIN and 1062 ensures that the necessary security enhancements are applied to meet 1063 the implicit security policy. 1065 3.4. Trust notary 1067 A Mesh trust notary is a chained notary service that accepts 1068 notarization requests from users and enrolls them in a publicly 1069 visible, tamper-evident, append-only log. 1071 The practices for operation of the trust notary are currently 1072 undefined but should be expected to follow the approach described 1073 above. 1075 The trust notary protocol provides support for establishing an 1076 internotary through cross certification. The append only log format 1077 is a DARE Container [draft-hallambaker-mesh-dare], the service 1078 protocol is currently in development. 1080 3.5. Endorsement 1082 An endorsement is a document submitted to a trust notary that 1083 includes a claim of the form 'public key X is held by user Y'. Mesh 1084 endorsements may be issued by CAs or by ordinary users. 1086 3.6. Evaluating trust 1088 One of the chief advantages of the World Wide Web over previous 1089 networked hypertext proposals was that it provided no means of 1090 searching for content. While the lack of a search capability was an 1091 obstacle to content discovery in the early Web, competing solutions 1092 to meeting this need were deployed, revised and replaced. 1094 The Mesh takes the same approach to evaluation of trust. The Mesh 1095 provides an infrastructure for expression of trust claims but is 1096 silent on their interpretation. As with the development of search 1097 for the Web, the evaluation of trust in the Mesh is left to the 1098 application of venture capital to deep AI. 1100 4. Conclusions 1102 This paper describes the principal approaches used to establish 1103 Internet trust, a means of evaluating them and a proposed successor. 1104 It now remains to determine the effectiveness of the proposed 1105 approach by attempting deployment. 1107 5. Security Considerations 1109 This document describes the means by which interparty identification 1110 risk is managed and controlled in the Mathematical Mesh. 1112 The security considerations for use and implementation of Mesh 1113 services and applications are described in the Mesh Security 1114 Considerations guide [draft-hallambaker-mesh-security]. 1116 6. Acknowledgements 1118 A list of people who have contributed to the design of the Mesh is 1119 presented in [draft-hallambaker-mesh-architecture]. 1121 7. Normative References 1123 [draft-hallambaker-mesh-architecture] 1124 Hallam-Baker, P., "Mathematical Mesh 3.0 Part I: 1125 Architecture Guide", Work in Progress, Internet-Draft, 1126 draft-hallambaker-mesh-architecture-12, 16 January 2020, 1127 . 1130 [draft-hallambaker-mesh-security] 1131 Hallam-Baker, P., "Mathematical Mesh 3.0 Part VII: 1132 Security Considerations", Work in Progress, Internet- 1133 Draft, draft-hallambaker-mesh-security-03, 16 January 1134 2020, . 1137 8. Informative References 1139 [Adrian2015] 1140 Adrian, D., "Weak Diffie-Hellman and the Logjam Attack", 1141 October 2015. 1143 [Bitcoin] Finley, K., "After 10 Years, Bitcoin Has Changed 1144 Everything?And Nothing", November 2018. 1146 [Diffie76] Diffie, W. and M. E. Hellman, "New Directions in 1147 Cryptography", November 1976. 1149 [draft-hallambaker-mesh-dare] 1150 Hallam-Baker, P., "Mathematical Mesh 3.0 Part III : Data 1151 At Rest Encryption (DARE)", Work in Progress, Internet- 1152 Draft, draft-hallambaker-mesh-dare-06, 16 January 2020, 1153 . 1156 [draft-hallambaker-mesh-udf] 1157 Hallam-Baker, P., "Mathematical Mesh 3.0 Part II: Uniform 1158 Data Fingerprint.", Work in Progress, Internet-Draft, 1159 draft-hallambaker-mesh-udf-08, 6 January 2020, 1160 . 1163 [Haber91] Haber, S. and W. S. Stornetta, "How to Time-Stamp a 1164 Digital Document", 1991. 1166 [Intel2018] 1167 Bell, L., "Intel delays 10nm Cannon Lake processors, 1168 again, until late 2019", July 2018. 1170 [Kohnfelder78] 1171 Kohnfelder, L. M., "Towards a Practical Public-Key 1172 Cryptosystem", May 1978. 1174 [Namecoin] Inc., N., "Namecoin Web Site", 2019. 1176 [Ratchet] Marlinspike, M. and T. Perrin, "The Double Ratchet 1177 Algorithm", November 2016. 1179 [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand 1180 Key Derivation Function (HKDF)", RFC 5869, 1181 DOI 10.17487/RFC5869, May 2010, 1182 . 1184 [RFC6246] Sajassi, A., Brockners, F., Mohan, D., and Y. Serbest, 1185 "Virtual Private LAN Service (VPLS) Interoperability with 1186 Customer Edge (CE) Bridges", RFC 6246, 1187 DOI 10.17487/RFC6246, June 2011, 1188 . 1190 [RFC6962] Laurie, B., Langley, A., and E. Kasper, "Certificate 1191 Transparency", RFC 6962, DOI 10.17487/RFC6962, June 2013, 1192 . 1194 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1195 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1196 . 1198 [Schneier2013] 1199 Schneier, B., "Defending Against Crypto Backdoors", 1200 October 2013. 1202 [Shannon1949] 1203 Shannon, C. E., "Communication Theory of Secrecy Systems", 1204 1949.