idnits 2.17.1 draft-hallambaker-mesh-trust-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack an Authors' Addresses Section. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (5 August 2021) is 988 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Obsolete informational reference (is this intentional?): RFC 6962 (Obsoleted by RFC 9162) Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. M. Hallam-Baker 3 Internet-Draft ThresholdSecrets.com 4 Intended status: Informational 5 August 2021 5 Expires: 6 February 2022 7 Mathematical Mesh 3.0 Part X: The Trust Mesh 8 draft-hallambaker-mesh-trust-09 10 Abstract 12 This paper extends Shannon's concept of a 'work factor' as applied to 13 evaluation of cryptographic algorithms to provide an objective 14 measure of the practical security offered by a protocol or 15 infrastructure design. Considering the hypothetical work factor 16 based on an informed estimate of the probable capabilities of an 17 attacker with unknown resources provides a better indication of the 18 relative strength of protocol designs than the computational work 19 factor of the best-known attack. 21 The social work factor is a measure of the trustworthiness of a 22 credential issued in a PKI based on the cost of having obtained the 23 credential through fraud at a certain point in time. Use of the 24 social work factor allows evaluation of Certificate Authority based 25 trust models and peer to peer (Web of Trust) models to be evaluated 26 in the same framework. The analysis demonstrates that both 27 approaches have limitations and that in certain applications, a 28 blended model is superior to either by itself. 30 The final section of the paper describes a proposal to realize this 31 blended model using the Mathematical Mesh. 33 [Note to Readers] 35 Discussion of this draft takes place on the MATHMESH mailing list 36 (mathmesh@ietf.org), which is archived at 37 https://mailarchive.ietf.org/arch/search/?email_list=mathmesh. 39 This document is also available online at 40 http://mathmesh.com/Documents/draft-hallambaker-mesh-trust.html. 42 Status of This Memo 44 This Internet-Draft is submitted in full conformance with the 45 provisions of BCP 78 and BCP 79. 47 Internet-Drafts are working documents of the Internet Engineering 48 Task Force (IETF). Note that other groups may also distribute 49 working documents as Internet-Drafts. The list of current Internet- 50 Drafts is at https://datatracker.ietf.org/drafts/current/. 52 Internet-Drafts are draft documents valid for a maximum of six months 53 and may be updated, replaced, or obsoleted by other documents at any 54 time. It is inappropriate to use Internet-Drafts as reference 55 material or to cite them other than as "work in progress." 57 This Internet-Draft will expire on 6 February 2022. 59 Copyright Notice 61 Copyright (c) 2021 IETF Trust and the persons identified as the 62 document authors. All rights reserved. 64 This document is subject to BCP 78 and the IETF Trust's Legal 65 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 66 license-info) in effect on the date of publication of this document. 67 Please review these documents carefully, as they describe your rights 68 and restrictions with respect to this document. 70 Table of Contents 72 1. Work Factor . . . . . . . . . . . . . . . . . . . . . . . . . 3 73 1.1. Computational Work Factor . . . . . . . . . . . . . . . . 3 74 1.2. Hypothetical Work Factor . . . . . . . . . . . . . . . . 4 75 1.3. Known Unknowns . . . . . . . . . . . . . . . . . . . . . 5 76 1.4. Defense in Depth . . . . . . . . . . . . . . . . . . . . 7 77 1.5. Mutual Reinforcement . . . . . . . . . . . . . . . . . . 7 78 1.6. Safety in Numbers . . . . . . . . . . . . . . . . . . . . 8 79 1.7. Cost Factor . . . . . . . . . . . . . . . . . . . . . . . 10 80 1.8. Social Work Factor . . . . . . . . . . . . . . . . . . . 13 81 1.8.1. Related work . . . . . . . . . . . . . . . . . . . . 14 82 2. The problem of trust . . . . . . . . . . . . . . . . . . . . 14 83 2.1. Existing approaches . . . . . . . . . . . . . . . . . . . 15 84 2.1.1. Trust After First Use (TAFU) . . . . . . . . . . . . 16 85 2.1.2. Direct Trust . . . . . . . . . . . . . . . . . . . . 16 86 2.1.3. Certificate Authority . . . . . . . . . . . . . . . . 16 87 2.1.4. Web of Trust . . . . . . . . . . . . . . . . . . . . 18 88 2.1.5. Chained notary . . . . . . . . . . . . . . . . . . . 18 89 2.1.6. A blended approach . . . . . . . . . . . . . . . . . 20 90 3. The Mesh of Trust . . . . . . . . . . . . . . . . . . . . . . 21 91 3.1. Master Profile . . . . . . . . . . . . . . . . . . . . . 22 92 3.2. Uniform Data Fingerprints . . . . . . . . . . . . . . . . 22 93 3.3. Strong Internet Names . . . . . . . . . . . . . . . . . . 23 94 3.4. Trust notary . . . . . . . . . . . . . . . . . . . . . . 23 95 3.5. Endorsement . . . . . . . . . . . . . . . . . . . . . . . 24 96 3.6. Evaluating trust . . . . . . . . . . . . . . . . . . . . 24 97 4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 24 98 5. Security Considerations . . . . . . . . . . . . . . . . . . . 24 99 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 25 100 7. Normative References . . . . . . . . . . . . . . . . . . . . 25 101 8. Informative References . . . . . . . . . . . . . . . . . . . 25 103 1. Work Factor 105 Recent events have highlighted both the need for open standards-based 106 security protocols and the possibility that the design of such 107 protocols may have been sabotaged [Schneier2013]. We thus face two 108 important and difficult challenges, first to design an Internet 109 security infrastructure that offers practical security against the 110 class of attacks revealed, and secondly, to convince potential users 111 that the proposed new infrastructure has not been similarly 112 sabotaged. 114 The measure of a security of a system is the cost and difficulty of 115 making a successful attack. The security of a safe is measured by 116 the length time it is expected to resist attack using a specified set 117 of techniques. The security of a cryptographic algorithm against a 118 known attack is measured by the computational cost of the attack. 120 This paper extends Shannon's concept of a 'work factor' [Shannon1949] 121 to provide an objective measure of the security a protocol or 122 infrastructure offers against other forms of attack. 124 1.1. Computational Work Factor 126 The term 'Computational Work Factor' is used to refer to Shannon's 127 original concept. 129 One of Shannon's key insights was that the work factor of a 130 cryptographic algorithm could be exponential. Adding a single bit to 131 the key size of an ideal symmetric algorithm presents only a modest 132 increase in computational effort for the defender but doubles the 133 work factor for the attacker. 135 More precisely, the difficulty of breaking a cryptographic algorithm 136 is generally measured by the work-factor ratio. If the cost of 137 encrypting a block with 56-bit DES is _x_, the worst case cost of 138 recovering the key through a brute force attack is 2^56_x_. The 139 security of DES has changed over time because _x_ has fallen 140 exponentially. 142 While the work factor is traditionally measured in terms of the 143 number of operations, many cryptanalytic techniques permit memory 144 used to be traded for computational complexity. An attack requiring 145 2^64bytes of memory that reduces the number of operations required to 146 break a 128-bit cipher to 2^64 is a rather lower concern than one 147 which reduces the number of operations to 2^80. The term 'cost' is 148 used to gloss over such distinctions. 150 The Computational Work Factor ratio WF-C (A) of a cryptographic 151 algorithm A, is the cost of the best-known attack divided by the cost 152 of the algorithm itself. 154 1.2. Hypothetical Work Factor 156 Modern cryptographic algorithms use keys of 128 bits or more and 157 present a work factor ratio of 2^128 against brute force attack. 158 This work factor is at least 2^72 times higher than DES and 159 comfortably higher than the work factor of 2^80operations that is 160 generally believed to be the practical limit to current attacks. 162 Though Moore's law has delivered exponential improvements in 163 computing performance over the past four decades, this has been 164 achieved through continual reductions in the minimum feature size of 165 VLSI circuits. As the minimum feature size rapidly approaches the 166 size of individual atoms, this mechanism has already begun to stall 167 [Intel2018]. 169 While an exceptionally well-resourced attacker may gain performance 170 advances through use of massive parallelism, faster clock rates made 171 possible by operating at super-low temperatures and custom designed 172 circuits, the return on such approaches is incremental rather than 173 exponential. 175 Performance improvements may allow an attacker to break systems with 176 a work factor several orders of magnitude greater than the public 177 state of the art. But an advance in cryptanalysis might permit a 178 potentially more significant reduction in the work factor. 180 The primary consideration in the choice of a cryptographic algorithm 181 therefore is not the known computational work factor as measured 182 according to the best publicly known attack but the confidence that 183 the computational work factor of the best attack that might be known 184 to the attacker. 186 While the exact capabilities of the adversary are unknown, a group of 187 informed experts may arrive at a conservative estimate of their 188 likely capabilities. In particular, it is the capabilities of 189 nation-state actors that generally give rise to greatest concern in 190 security protocol design. In this paper we refer to this set of 191 actors as _nation-state class_ adversaries in recognition of the fact 192 that certain technology companies posses computing capabilities that 193 rival if not exceed those of the largest state actors and those 194 capabilities could at least in theory be co-opted for other purposes 195 in certain circumstances. 197 The probability that a nation-state class has discovered an attack 198 against AES-128 with a work factor ratio of 2^120 might be considered 199 relatively high while the probability that an attack with a work 200 factor ratio of less than 2^64 is very low. 202 We define the hypothetical work factor function WF-H (A, p) as 203 follows: If WF is a work factor ratio and p is an informed estimate 204 of the probability that an adversary has developed an attack with a 205 work factor ratio against algorithm A of WF or less then WF-H (A, p) 206 = WF. 208 Since the best-known public attack is known to the attacker, WF-H (A, 209 1) = WF_C (A) 211 The inverse function WF-H' (A, WF) returns the estimated probability 212 that the work factor of algorithm A is at least WF. 214 The hypothetical work factor and its inverse may be used to compare 215 the relative strengths of protocol designs. Given designs A and B, 216 we can state that B is an improvement on A if WF-H (A,p) > WF-H (B,p) 217 for all p. 219 When considering a protocol or infrastructure design we can thus 220 improve a protocol by either: 222 * Increasing WF-H (A,p) for some p, or 224 * Decreasing WF-H '(A,WF) 226 1.3. Known Unknowns 228 Unlike the computational work factor, the hypothetical work factor 229 does not provide an objective measure of the security offered by a 230 design. The purpose of the hypothetical work factor is to allow the 231 protocol designer to compare the security offered by different design 232 choices. 234 The task that the security engineer faces is to secure the system 235 from all attacks whether the attacks themselves are known or unknown. 236 In the current case it is known that an attacker is capable of 237 breaking at least some of the cryptographic algorithms in use. But 238 not which algorithms are affected or the nature of the attack(s). 240 Unlike the computational work factor, the hypothetical work factor 241 does not deliver an academically rigorous, publication and citation 242 worthy measure of the strength of a design. That is not its purpose. 243 the purpose of the hypothetical work factor is to assist the protocol 244 designer in designing protocols. 246 Design of security protocols has always required the designer to 247 consider attackers whose capabilities are not currently known and 248 thus involved a considerable degree of informed opinion and 249 guesswork. Whether correctly or not, the decision to reject changes 250 to the DNSSEC protocol to enable deployment in 2002 rested in part on 251 a statement by a Security Area Director that a proposed change gave 252 him 'a bad feeling in his gut'. The hypothetical work factor permits 253 the security designer to model to quantify such intestinally based 254 assumptions and model the effect on the security of the resulting 255 design. 257 Security is a property of systems rather than individual components. 258 While it is quite possible that there are no royal roads to 259 cryptanalysis and cryptanalysis of algorithms such as AES 128 is 260 infeasible even for the nation state class adversaries, such 261 adversaries are not limited to use of cryptanalytic attacks. 263 Despite the rise of organized cyber-crime, many financial systems 264 still employ weak cryptographic systems that are known to be 265 vulnerable to cryptanalytic attacks that are well within the 266 capabilities of the attackers. But fraud based on such techniques 267 remains vanishingly rare as it is much easier for the attackers to 268 persuade bank customers to simply give their access credentials to 269 the attacker. 271 Even if a nation-state class attacker has a factoring attack which 272 renders an attack on RSA-2048 feasible, it is almost certainly easier 273 for a nation-state class attacker to compromise a system using 274 RSA-2048 in other ways. For example, persuading the target of the 275 surveillance to use cryptographic devices with a random number 276 generator that leaks a crib for the attacker. Analyzing the second 277 form of attack requires a different type of analysis which is 278 addressed in the following section on social work factor. 280 1.4. Defense in Depth 282 The motivation behind introducing the concept of the hypothetical 283 work factor is a long experience of seeing attempts to make security 284 protocols more robust being deflected by recourse to specious 285 arguments based on the computational work factor. 287 For example, consider the case in which a choice between a single 288 security control and a defense in depth strategy is being considered: 290 * Option A: Uses algorithm X for protection. 292 * Option B: Uses a combination of algorithm X and algorithm Y for 293 protection such that the attacker must defeat both to break the 294 system and algorithms based on different cryptographic principles 295 are chosen so as to minimize the risk of a common failure mode. 297 If the computational work factor for both algorithms X and Y is 298 2^128, both options present the same work factor ratio. Although 299 Option B offers twice the security, it also requires twice the work. 301 The argument that normally wins is that both options present the same 302 computational work factor ratio of 2^128, Option A is simpler and 303 therefore Option A should be chosen. This despite the obvious fact 304 that only Option B offers defense in depth. 306 If we consider the adversary of being capable of performing a work 307 factor ratio of 2^80 and the probability the attacker has discovered 308 an attack capable of breaking algorithms X and Y to be 10% in each 309 case, the probability that the attacker can break Option A is 10% 310 while the probability that an attack on Option B is only 1%, a 311 significant improvement. 313 While Option B clearly offers a significant potential improvement in 314 security, this improvement is only fully realized if the 315 probabilities of a feasible attack are independent. 317 1.5. Mutual Reinforcement 319 The defense in depth approach affords a significant improvement in 320 security but an improvement that is incremental rather than 321 exponential in character. With mutual reinforcement we design the 322 mechanism such that in addition to requiring the attacker to break 323 each of the component algorithms, the difficulty of the attacks is 324 increased. 326 For example, consider the use of a Deterministic Random Number 327 Generator R(s,n) which returns a sequence of values R(s,1), R(s,2)... 328 from an initial seed s. 330 Two major concerns in the design of such generators are the 331 possibility of bias and that the seed value be somehow leaked through 332 a side channel. 334 Both concerns are mitigated if instead of using the output of one 335 generator directly, two independent random number generators with 336 distinct seeds are used. 338 For example, consider the use of the value R1(s1,n) XOR R2(s2,n) 339 where R1(s,n) and R2(s,n) are different random number generation 340 functions and s1, s2 are distinct seeds. 342 The XOR function has the property of preserving randomness so that 343 the output is guaranteed to be at least as random as either of the 344 generators from which it is built (provided that there is not a 345 common failure mode). Further, recovery of either random seed is at 346 least as hard as using the corresponding generator on its own. Thus, 347 the Hypothetical work factor for the combined system is improved to 348 at least the same extent as in the defense in depth case. 350 But any attempt to break either generator must now face the 351 additional complexity introduced by the output being masked with the 352 unknown output of the other. An attacker cannot cryptanalyze the two 353 generator functions independently. If the two generators and the 354 seeds are genuinely independent, the combined hypothetical work 355 factor is the product of the hypothetical work factors from which it 356 is built. 358 While implementing two independent generators and seeds represents a 359 significant increase in cost for the implementer, a similar 360 exponential leverage might be realized with negligible additional 361 complexity through use of a cryptographic digest of the generator 362 output to produce the masking value. 364 1.6. Safety in Numbers 366 In a traditional security analysis, the question of concern is 367 whether a cryptanalytic attack is feasible or not. When considering 368 an indiscriminate intercept capability as in a nation-state class 369 attack, the concern is not just whether an individual communication 370 might be compromised but the number of communications that may be 371 compromised for a given amount of effort. 373 'Perfect' Forward Secrecy is an optional feature supported in IPSec 374 and TLS. In 2008, implementations of TLS/1.2 [RFC6246] purported to 375 offer a choice between: 377 Direct key exchange with a work factor dependent on the difficulty of 378 breaking RSA 2048 380 Direct key exchange followed by a perfect forward secrecy exchange 381 with a work factor dependent on the difficulty of breaking both RSA 382 2048 and DH 1024. 384 Using the computational work factor alone suggests that the second 385 scheme has little advantage over the first since the computational 386 work factor of Diffie Hellman using the best-known techniques 2^80 387 while the computational work factor for RSA 2048 is 2^112. Use of 388 the perfect forward secrecy exchange has a significant impact on 389 server performance but does not increase the difficulty of 390 cryptanalysis. 392 Use of perfect forward secrecy with a combination of RSA and Diffie 393 Hellman does not provide a significant improvement in the 394 hypothetical work factor either if individual messages are 395 considered. The RSA and Diffie Hellman systems are closely related 396 and so an attacker that can break RSA 2048 can almost certainly break 397 RSA 1024. Moreover, computational work factor for DH 1024 is only 398 2^80 and thus feasibly within the reach of a well-funded and 399 determined attacker. 401 According to the analysis informally applied during design, use of 402 perfect forward secrecy does provide an important security benefit 403 when multiple messages are considered. While a sufficiently funded 404 and determined attacker could conceivably break tens, hundreds or 405 even thousands of DH 1024 keys a year, it is rather less likely that 406 an attacker could break millions a year. The OCSP servers operated 407 by Comodo CA receive over 2 billion hits a day and this represents 408 only a fraction of the number of uses of TLS on the Internet. Use of 409 perfect forward secrecy does not prevent an attacker from decrypting 410 any particular message but raises the cost of indiscriminate 411 intercept and decryption. 413 Unfortunately, this analysis is wrong because the TLS key exchange 414 does not achieve a work factor dependent on the difficulty of 415 breaking both RSA 2048 and DH 1024. The pre-master secret 416 established in the initial RSA 2048 exchange is only used to 417 authenticate the key exchange process itself. The session keys used 418 to encrypt content are derived from the weaker ephemeral key 419 exchange, the parameters of which are exchanged in plaintext. Due to 420 this defect in the design of the protocol, the Work Factor of the 421 protocol is the work factor of DH1024 alone. 423 Nor does the use of Diffie Hellman in this fashion provide security 424 when multiple messages are exchanged. The Logjam attack [Adrian2015] 425 exploits the fact that the difficulty of breaking the discrete 426 logarithm involves four major steps, the first three of which are the 427 most computationally intensive and only depend on the shared group 428 parameters. The cost of breaking a hundred Diffie Hellman public 429 keys is not a hundred times the cost of breaking a single key, there 430 is almost no difference. 432 Work factor analysis exposes these flaws in the design of the 433 TLS/1.2. Since the session keys used to encrypt traffic do not 434 depend on knowing the secret established in the RSA2048 exchange, the 435 work factor of the protocol is the lesser of 2^80 and 2^112. 437 A simple means of ensuring that the work factor of a protocol is not 438 reduced by a fresh key exchange is to use a one-way function such as 439 a cryptographic digest or a key exchange to combine the output of the 440 prior exchange with its successor. This principle is employed in the 441 double ratchet algorithm [Ratchet] used in the Signal protocol. In 442 the Mesh, the HKDF Key Derivation function [RFC5869] is frequently 443 used for the same purpose. 445 The work factor downgrade issue was addressed in TLS/1.3 [RFC8446] 446 albeit in a less direct fashion by encrypting the ephemeral key 447 exchange. 449 1.7. Cost Factor 451 As previously discussed, cryptanalysis is not the only tool available 452 to an attacker. Faced with a robust cryptographic defense, Internet 453 criminals have employed 'social engineering' instead. A nation-state 454 class attacker may use any and every tool at their disposal including 455 tools that are unique to government backed adversaries such as the 456 threat of legal sanctions against trusted intermediaries. 458 Although attackers can and will use every tool at their disposal, 459 each tool carries a cost and some tools require considerable advance 460 planning to use. It is conceivable that the AES standard published 461 by NIST contains a backdoor that somehow escaped the extensive peer 462 review. But any such effort would have had to have begun well in 463 advance of 1998 when the Rijndael cipher was first published. 465 Nation-state class actors frequently rely for security on the same 466 infrastructures that they are attempting to attack. Thus, the 467 introduction of vulnerabilities that might also be exploited by the 468 opposition incurs a cost to both. This concern is recognized in the 469 NSA 'NOBUS' doctrine: Nobody but us. To introduce a vulnerability in 470 a random number generator that can only be exploited by a party that 471 knows the necessary private key is acceptable. But introducing a 472 vulnerability that depends on the use of an unpublished cryptanalytic 473 technique is not because that same technique might be discovered by 474 the opposition. 476 Subversion of cryptographic apparatus such as Hardware Security 477 Modules (HSMs) and SSL accelerators faces similar constraints. HSMs 478 may be compromised by an adversary but the compromise must have taken 479 place before the device was manufactured or serviced. 481 Just as computational attacks are limited by the cryptanalytic 482 techniques known to and the computational resources available to the 483 attacker, social attacks are limited by the cost of the attack and 484 the capacity of the attacker. 486 The Cost Factor C(t) is an estimate of the cost of performing an 487 attack on or before a particular date in time (t). 489 For the sake of simplicity, currency units are used under the 490 assumption that all the resources required are fungible and that all 491 attackers face the same costs. But such assumptions may need to be 492 reconsidered when there is a range of attackers with very different 493 costs and capabilities. A hacktivist group could not conceivably 494 amass the computational and covert technical resources available to 495 the NSA but such a group could in certain circumstances conceivably 496 organize a protest with a million or more participants while the 497 number of NSA employees is believed to still be somewhat fewer. 499 The computational and hypothetical work factors are compared against 500 estimates of the computational resources of the attacker. An attack 501 is considered to be infeasible if that available computational 502 resources do not allow the attack to be performed within a useful 503 period of time. 505 The cost factor is likewise compared against an incentive estimate, 506 I(t) which is also time based. 508 * An attack is considered to be productive for an attacker if there 509 was a time t for which I(t) > C(t). 511 * An attack is considered to be unproductive if there is no time at 512 which it was productive for that attacker. 514 Unlike Cost Factor for which a lower bound based on the lowest cost 515 and highest capacity may be usefully applied to all attackers, 516 differences in the incentive estimate between attackers are likely to 517 be very significant. Almost every government has the means to 518 perform financial fraud on a vast scale but only rarely does a 519 government have the incentive. When governments do engage in 520 activities such as counterfeiting banknotes this has been done for 521 motives beyond mere peculation. 523 While government actors do not respond to the same incentives as 524 Internet criminals, governments fund espionage activities in the 525 expectation of a return on their investment. A government agency 526 director who does not produce the desired returns is likely to be 527 replaced. 529 For example, when the viability of SSL and the Web PKI for protecting 530 Internet payments was considered in the mid-1990s, the key question 531 was whether the full cost of obtaining a fraudulently issued 532 certificate would exceed the expected financial return where the full 533 cost is understood to include the cost of registering a bogus 534 corporation, submitting the documents and all the other activities 535 that would be required if a sustainable model for payments fraud was 536 to be established. 538 For an attack to be attractive to an attacker it is not just 539 necessary for it to be productive, the time between the initial 540 investment and the reward and the likelihood of success are also 541 important factors. An attack that requires several years of advance 542 planning is much less attractive than an attack which returns an 543 immediate profit. 545 An attack may be made less attractive by 547 * Increasing the cost 549 * Reducing the incentive 551 * Reducing the expected gain 553 * Reducing the probability that the incentive will be realized 555 * Increasing the time between the initial investment and the return. 557 Most real-world security infrastructures are based on more than one 558 of these approaches. The WebPKI is designed to increase the cost of 559 attack by introducing validation requirements and reduce the expected 560 gain through its revocation infrastructure. 562 1.8. Social Work Factor 564 In the cost factor analysis, it is assumed that all costs are 565 fungible, and the attack capacity of the attacker is only limited by 566 their financial resources. Some costs are not fungible however, in 567 particular inducing a large number of people to accept a forgery 568 without the effort being noticed requires much more than a limitless 569 supply of funds. 571 In a computational attack an operation will at worst fail to deliver 572 success. There is no penalty for failure beyond having failed to 573 succeed. When attempting to perpetuate a fraud on the general 574 public, every attempt carries a risk of exposure of the entire 575 scheme. When attempting to perform any covert activity, every 576 additional person who is indoctrinated into the conspiracy increases 577 the chance of exposure. 579 The totalitarian state envisioned by George Orwell in 1984 was only 580 plausible because each and every citizen is coerced to act as a party 581 to the conspiracy. The erasure and replacement of the past was 582 possible because the risk of exposure was nil. 584 In 2011, I expressed concern to a retired senior member of the NSA 585 staff that the number of contractors being hired to perform cyber- 586 sabotage operations represented a security risk and might be creating 587 a powerful constituency with an interest in the aggressive 588 militarization of cyberspace rather than preparing for its defense. 589 Subsequent disclosures by Robert Snowden have validated the 590 disclosure risk aspect of these concerns. Empirically, the NSA, an 591 organization charged with protecting the secrecy of government 592 documents, was unable to maintain the secrecy of their most important 593 secrets when the size of the conspiracy reached a few ten thousand 594 people. 596 The community of commercial practitioners of cryptographic 597 information security is small in size but encompasses many 598 nationalities. Many members of the community are bound by 599 ideological commitments to protecting personal privacy as an 600 unqualified moral objective. 602 Introducing a backdoor into a HSM, application or operating system 603 platform requires that every person with access to the platform 604 source or who might be called in to audit the code be a party to the 605 conspiracy. Tapping the fiber optic cables that support the Internet 606 backbone requires only a small work crew and digging equipment. 607 Maintaining a covert backdoor in a major operating system platform 608 would require hundreds if not thousands of engineers to participate 609 in the conspiracy. 611 The Social Work Factor WF_S(t) is a measure of the cost of 612 establishing a fraud in a conspiracy starting at date t. The cost is 613 measured in the number of actions that the party perpetrating the 614 fraud must perform that carry a risk of exposure. 616 In general, the Social Work Factor will increase over time. 617 Perpetrating a fraud claiming that the Roman emperor Nero never 618 existed today would require that millions of printed histories be 619 erased and rewritten, every person who has ever taught or taken a 620 lesson in Roman history would have to participate in the fraud. The 621 Social Work Factor would be clearly prohibitive. 623 The Social Work Factor in the immediate aftermath of Nero's 624 assassination in 68 would have been considerably lower. While the 625 emperor Nero was obviously not erased from history, this did happen 626 to Akhenaten, an Egyptian pharaoh of the 18^th dynasty whose 627 monuments were dismantled, statues destroyed, and his name erased 628 from the lists of kings. 630 1.8.1. Related work 632 It has not escaped the notice of the author that the social work 633 factor might be applied as a general metric for assessing the 634 viability of a conspiracy hypothesis. 636 Applying social work factor analysis to the moon landing conspiracy 637 theory we note that almost all of the tens of thousands of NASA 638 employees who worked on the Apollo project would have had to be a 639 part of the conspiracy and so would an even larger number of people 640 who worked for NASA contractors. The cost of perpetrating the hoax 641 would have clearly exceeded any imaginable benefit while the risk of 642 the hoax being exposed would have been catastrophic. 644 2. The problem of trust 646 Traditional (symmetric key) cryptography allows two parties to 647 communicate securely provided they both know a particular piece of 648 information known as a _key_ that must be known to encrypt or decrypt 649 the content. Public Key cryptography proposed by Diffie and Hellman 650 [Diffie76] provides much greater flexibility by using separate keys 651 for separate roles such that it is possible to do one without being 652 able to do the other. In a public key system, an encryption key 653 allows information to be encrypted but not to be decrypted. That 654 role can only be performed using the corresponding decryption key. 656 The Mathematical Mesh recryption services further extend the 657 capabilities of traditional public key infrastructures by further 658 partitioning of the roles associated with the private key. In the 659 Mesh, this capability is referred to as 'recryption' as it was 660 originally conceived of as being a form of Proxy Re-encryption as 661 described by Blaze et. al. but it might equally well be considered as 662 realizing distributed key generation as described by Pedersen. A 663 decryption key is split into two or more parts such that both parts 664 must be involved to complete a private key operation. These parts 665 are then distributed to separate parties, thus achieving 666 cryptographic enforcement of a separation of duties. 668 Public key cryptography allows many (but certainly not all) 669 information security concerns to be reduced to management of 670 cryptographic keys. If Alice knows the Bob's encryption key, she can 671 send Bob an encrypted message that only he can read. If Bob knows 672 Alice's signature key, Bob can verify that a digital signature on the 673 message really was created by Alice. 675 A Public Key Infrastructure (PKI) is a combination of technologies, 676 practices and services that support the management of public key 677 pairs. In particular, if Alice does not know Bob's public key, any 678 infrastructure that is designed to provide her with this information 679 may be regarded as a form of PKI. 681 The big challenge faced in the design, deployment of operation of a 682 PKI is that while Alice and Bob can communicate with perfect secrecy 683 if they use each other's actual public keys, they will have worse 684 than no security if an attacker can persuade them to use keys they 685 control instead. One of the chief concerns in PKI therefore is to 686 allow users to assess the level of risk they face, a quality known as 687 _trust_. 689 2.1. Existing approaches 691 Few areas of information security have engaged so much passionate 692 debate or diverse proposals as PKI architecture. Yet despite the 693 intensity of this argument the state of deployment of PKI in the 694 Internet has remained almost unchanged. 696 TLS and SSH, the only Internet security protocols that have 697 approached ubiquity both operate at the transport layer. The use of 698 IPSEC is largely limited to providing VPN access. DNSSEC remains a 699 work in progress. Use of end-to-end secure email messaging is 700 negligible and shows no sign of improvement as long as competition 701 between S/MIME and OpenPGP remains at a stalemate in which one has a 702 monopoly on mindshare and the other a monopoly on deployment. 704 2.1.1. Trust After First Use (TAFU) 706 Trust After First Use is a simple but often effective form of PKI. 707 Instead of trying to verify each other's public key the first time 708 they attempt to communicate, the parties record the public key 709 credentials presented in their first interaction and check that the 710 same credentials are presented in subsequent transactions. While 711 this approach does not absolutely guarantee that 'Alice' is really 712 talking to 'Bob', as the conversation continues over hours, months or 713 even years, they are both assured that they are talking to the same 714 person. 716 2.1.2. Direct Trust 718 In the direct trust model, credentials are exchanged in person. The 719 exchange may be of the actual public key itself or by means of a 720 'fingerprint' which is simply a means of formatting a cryptographic 721 digest of the key to the user. 723 Use of direct trust is robust and avoids the need to introduce any 724 form of trusted third party. It is also limited for the obvious 725 reason that it is not always possible for users to meet in person. 726 For this reason, protocols that attempt to offer a direct trust model 727 often turn out to be being used in trust-after-first-use mode in 728 practice when the behavior of users is examined. 730 2.1.3. Certificate Authority 732 The archetype of what is generally considered to be 'PKI' was 733 introduced in Kohnfelder's 1978 Msc. Thesis [Kohnfelder78]. A 734 Certificate Authority (CA)whose signature key is known to all the 735 participants issues certificates binding the user's public key to 736 their name and/or contact address(es). 738 This approach forms the basis of almost every widely deployed PKI 739 including the EMV PKI that support smart card payments, the CableLabs 740 PKI that supports the use of set top boxes to access copyright 741 protected content and the WebPKI mentioned earlier that supports the 742 use of TLS in online commerce. 744 One area in which the CA model has not met with widespread success is 745 the provision of end-to-end secure email described in the original 746 paper. Despite the fact that S/MIME secure email has been supported 747 by practically every major email client for over 20 years, only a 748 small number of users are aware that email encryption is supported 749 and even fewer user it on a regular basis. 751 One of the reasons for this lack of uptake is the lack of uptake 752 itself. Until a critical mass of users is established, the network 753 effect presents as the chicken and egg problem. Another reason for 754 the failure is the sheer inconvenience use of S/MIME presents to the 755 user. Obtaining, installing and maintaining certificates requires 756 significant user effort and knowledge. But even if these obstacles 757 are addressed (as the Mesh attempts to do), as far as the open 758 Internet is concerned, S/MIME provides little or no benefit over a 759 direct trust model because there is no equivalent of the WebPKI for 760 email. 762 Most CAs that operate WebPKI services also offer S/MIME PKI services, 763 but these are seldom used except by enterprises and government 764 agencies where certificates are usually issued for internal use only. 766 One of the chief difficulties in establishing a MailPKI analogous to 767 the WebPKI is the difficulty of establishing a set of validation 768 requirements that are cost effective to users and present a 769 meaningful social work factor to attackers. 771 When VeriSign began operating the first Internet CA, two classes of 772 email certificate were offered that have since become a de facto 773 industry standard: 775 Class 1: The CA verified that the subject applying for the 776 certificate could read email sent to the address specified in the 777 certificate. 779 Class 2: The requirements of class 1 plus the requirement that the 780 certificate be issued through a Registration Authority that had 781 been separately determined to meet the considerably more stringent 782 validation requirements for organizations specified in class 3 and 783 in particular, demonstrated ownership of the corresponding domain 784 name. 786 Class 2 certificates were designed to be issued by organizations to 787 their employees and arguably present a more than adequate social work 788 factor to prevent most forms of attack. S/MIME certificates are in 789 daily use to secure very sensitive communications relating to very 790 high value transactions. But this represents a niche application of 791 what was intended to be a ubiquitous infrastructure that would 792 eventually secure every email communication. 794 The only type of certificate that the typical Internet user can 795 obtain is class 1 which at best offers a small improvement on social 796 work factor over Trust After First Use. 798 2.1.4. Web of Trust 800 The concept of the Web of Trust was introduced by Zimmerman with the 801 launch of PGP. It represents the antithesis of the hierarchical CA 802 model then being proposed for the Privacy Enhance Mail scheme being 803 considered by the IETF at the time. A core objection to this model 804 was the fact that users could only communicate securely by obtaining 805 a certificate from a CA. The goal of PGP was to democratize the 806 process by making every user a trust provider. 808 Like S/MIME, OpenPGP protocol has achieved some measure of success 809 but has fallen far short of its original goal of becoming ubiquitous 810 and almost none of the users have participated in the Web of Trust. 812 One of the chief technical limitations of the Web of Trust is that 813 trust degrades over distance. An introduction from a friend of a 814 friend has less value than one from a friend. As the number of users 815 gets larger, the chains of trust get longer, and the trustworthiness 816 of the link becomes smaller. 818 Another limitation is that as is fitting for a concept launched at 819 the high tide of postmodernism, the trust provided is inherently 820 relative. Every user has a different view of the Web of Trust and 821 thus a different degree of trust in the other users. This makes it 822 impossible for a commercial service to offer to navigate the Web of 823 Trust on a user's behalf. 825 2.1.5. Chained notary 827 The rise of BitCoin [Bitcoin] and the blockchain technology on which 828 it is based have given rise to numerous proposals that make use of a 829 tamper-evident notary as either the basis for a new PKI (e.g. 830 NameCoin [Namecoin]) or to provide additional audit controls for an 831 existing PKI (e.g. Certificate Transparency [RFC6962]). 833 The principle of making a digital notary service tamper-evident by 834 means of combining each output of the notary with the input of its 835 successor using a cryptographic digest was proposed in 1991 by Haber 836 and Stornetta [Haber91]. Every output of the notary depends on every 837 one of the previous inputs. Thus, any attempt to modify an input 838 will cause every subsequent output to be invalidated. 840 Notaries operating according to these principles can quickly achieve 841 prohibitively high social work factors by simply signing their output 842 values at regular intervals and publishing a record of the signed 843 values. Any attempt by the notary to tamper with the log will 844 produce a non-repudiable proof of the defection. Thus once an input 845 value is enrolled in a chained notary, the social work factor for 846 modifying that input subsequent to that becomes the same as the 847 social work factor for subverting the notary and every party that has 848 a record of the signed outputs of that notary. 850 Enrolling the signed outputs of one notary as an input to another 851 independently operated notary establishes a circumstance in which it 852 is not possible for one notary to defect unless the other does as 853 well. Applying the same principle to a collection of notaries 854 establishes a circumstance in which it is not possible for any notary 855 to defect without that defection becoming evident unless every other 856 notary also defects. If such infrastructures are operated in 857 different countries by a variety of reputable notaries, the social 858 work factor of modifying an input after it is enrolled may be 859 considered as to rapidly approach infinity. 861 One corollary of this effect is that just as there is only one global 862 postal system, one telephone system and one Internet, convergence of 863 the chained notary infrastructure is also inevitable. Users seeking 864 the highest possible degree of tamper evidence will seek out notaries 865 that cross notarize with the widest and most diverse range of other 866 notaries. I propose a name for this emergent infrastructure, the 867 Internotary. 869 According to the image presented in the popular press, it is the 870 minting of new cryptocurrency that provides stability to the 871 distributed leger at the heart of BitCoin, Etherium and their many 872 imitators. The fact that notaries that do not require proof of work, 873 proof of stake or any other form of seigniorage offer the same social 874 work factor (effectively infinite) as those that do demonstrates that 875 it is not necessary to consume nation-state level quantities of 876 electricity to operate such infrastructures. 878 The attraction of employing such notaries in a PKI system is that the 879 social work factor to forge a credential prior to a date that has 880 already been notarized as past is infinite. It is obvious that 881 almost none of the thousands of OpenPGP keys registered with the key 882 server infrastructure for 'Barack Obama' are genuine and so all the 883 registered keys are untrustworthy. But if it was known that one 884 particular key had been registered in the 1980s, before Obama had 885 become a political leader, that particular key would be considerably 886 more trustworthy than the rest. 888 The use of chained notaries may be viewed as providing a distributed 889 form of Trust After First Use. The first use event in this case is 890 the enrollment of the event in the notary. Instead of Alice having 891 to engage in separate first use events with Bob, Carol, Doug and 892 every other user she interacts with, a single first use event with 893 the internotary supports all her existing and future contacts. 895 2.1.6. A blended approach 897 As we have seen, different PKI architectures have emerged to serve 898 different communities of use by offering different forms of trust. 899 The trust provided by the OpenPGP and S/MIME PKIs to the communities 900 they serve is distinct. The S/MIME PKI does not provide a useful 901 means of establishing a trusted relationship in a personal capacity. 902 The OpenPGP PKI is not appropriate for establishing a trust 903 relationship in an enterprise capacity. Yet despite this obvious 904 difference in capabilities, there has been no convergence between 905 these competing approaches in the past two decades. 907 The only convergence in approach that has developed over this period 908 is within the applications that rely on PKI. Most SSH clients and 909 servers make provision for use of CA issued certificates for 910 authentication. Most email clients may be configured to support 911 OpenPGP in addition to S/MIME. 913 While offering the choice of CA issued, direct trust or Web of Trust 914 credentials is better than insisting on the use of the one, true PKI, 915 this approach is less powerful than a blended approach allowing the 916 user to make use of all of them. 918 In the blended approach, every user is a trust provider and can 919 provide endorsements to other user and some (but not necessarily all) 920 users have CA issued certificates. 922 This approach follows the same patterns that have been applied in the 923 issue of government credentials for centuries. In many countries, 924 passport applications must be endorsed by either a member of a 925 profession that has frequent interaction with the public (e.g. 926 doctors, lawyers and clerics), a licensed and registered set of 927 public notaries or both. 929 Analysis of the blended approach in terms of work factor reveals the 930 surprising result that it can achieve a higher social work factor 931 than either the CA model alone or the Web of Trust model alone. 933 Consider the case that Alice and Bob have each obtained a certificate 934 that presents a Social Work Factor of $10. Applying the CA model in 935 isolation, $10 is the limit to the SFW that can be achieved. But if 936 Alice and Bob were to meet and exchange endorsements, the SFW may be 937 increased by up to $10. If the exchange of endorsements is made in 938 person by means of some QR code mediated cryptographic protocol, we 939 might reasonably ascribe a SWF of $20 to each credential. 941 This higher SWF can now be used to evaluate the value of endorsements 942 issued by Alice and Bob to user Carol and of Carol to Doug, neither 943 of whom has a CA issued certificates. While the SWF of Carol is 944 certainly less than $20 and the SWF or Doug is even lower, it is 945 certainly greater than $0. 947 While these particular values are given for the sake of example, it 948 is clearly the case that as with the WebPKI, the blended approach 949 permits trust to be quantified according to objective criteria even 950 if the reliability of the values assigned remains subjective. The 951 Google Page Rank algorithm did not have to be perfect to be useful 952 and just as the deployment of the Web spurred the development of 953 engines offering better and more accurate search engines, deployment 954 of blended PKI may be reasonably be expected to lead to the 955 development of better and more accurate means of evaluating trust. 957 The power of the blended approach is that it provides the reach of 958 the Web of Trust model with the resilience of the CA model while 959 permitting a measurable improvement in work factor over both. 961 Combining the blended trust model with the internotary model allows 962 these SWF values to be fixed in time. It is one thing for an 963 attacker to spend $100 to impersonate the President of the United 964 States. It is quite another for an attacker to spend $100 per target 965 on every person who might become President of the United States in 20 966 years' time. 968 3. The Mesh of Trust 970 The purpose of the Mathematical Mesh is to put the user rather than 971 the designer in control of their trust infrastructure. To this end, 972 the Mesh supports use of any credential issued by any form of PKI and 973 provides a means of using these credentials in a blended model. 975 3.1. Master Profile 977 The Mesh provides an infrastructure that enables a user to manage all 978 the cryptographic keys and other infrastructure that are necessary to 979 provide security. 981 A Mesh master profile is the root of trust for each user's personal 982 PKI. By definition, every device, every application key that is a 983 part of user's personal Mesh profile is ultimately authenticated 984 either directly or indirectly by the signature key published in the 985 master profile. 987 Unlike user keys in traditional PKIs, a Mesh master profile is 988 designed to permit (but not require) life long use. A Master profile 989 can be revoked but does not expire. It is not possible to change the 990 signature key in a master profile. Should a compromise occur, a new 991 master profile must be created. 993 3.2. Uniform Data Fingerprints 995 Direct trust in the Mesh is realized through use of Uniform Data 996 Fingerprints (UDF) [draft-hallambaker-mesh-udf]. A UDF consists of a 997 cryptographic digest (e.g. SHA-2-512) over a data sequence and a 998 content type identifier. 1000 UDFs are presented as a Base32 encoded sequence with separators every 1001 25 characters. UDFs may be presented at different precisions 1002 according to the intended use. The 25-character presentation 1003 provides a work factor of 2^117 and is short enough to put on a 1004 business card or present as a QR code. The 50-character presentation 1005 provides a work factor of 2^242 and is compact enough to be used in a 1006 configuration file. 1008 For example, the UDF of the text/plain sequence "UDF Data Value" may 1009 be presented in either of the following forms: 1011 MDDK7-N6A72-7AJZN-OSTRX-XKS7D 1012 MDDK7-N6A72-7AJZN-OSTRX-XKS7D-JAFXI-6OZSL-U2VOA-TZQ6J-MHPTS 1014 The UDF of a user's master profile signature key is used as a 1015 persistent, permanent identifier of the user that is unique to them 1016 and will remain constant for their entire life unless they have 1017 reason to replace their master profile with a new one. The exchange 1018 of master profile UDFs is the means by which Mesh users establish 1019 direct trust. 1021 3.3. Strong Internet Names 1023 A Strong Internet name (SIN) [draft-hallambaker-mesh-udf] is a valid 1024 Internet address that contains a UDF fingerprint of a security policy 1025 describing interpretation of that name. 1027 While a SIN creates a strong binding between an Internet address and 1028 a security policy, it does not provide a mechanism for discovery of 1029 the security policy. Nor is it necessarily the case that this is 1030 publicly available. 1032 For example, Example Inc holds the domain name example.com and has 1033 deployed a private CA whose root of trust is a PKIX certificate with 1034 the UDF fingerprint MB2GK-6DUF5-YGYYL-JNY5E-RWSHZ. 1036 Alice is an employee of Example Inc., she uses three email addresses: 1038 For example, Example Inc holds the domain name example.com and has 1039 deployed a private CA whose root of trust is a PKIX certificate with 1040 the UDF fingerprint MB2GK-6DUF5-YGYYL-JNY5E-RWSHZ. 1042 Alice is an employee of Example Inc., she uses three email addresses: 1044 alice@example.com A regular email address (not a SIN). 1046 alice@mm--mb2gk-6duf5-ygyyl-jny5e-rwshz.example.com A strong email 1047 address that is backwards compatible. 1049 alice@example.com.mm--mb2gk-6duf5-ygyyl-jny5e-rwshz A strong email 1050 address that is backwards incompatible. 1052 Use of SINs allows the use of a direct trust model to provide end-to- 1053 end security using existing, unmodified email clients and other 1054 Internet applications. 1056 For example, Bob might use Microsoft Outlook 2019, an email 1057 application that has no support for SINs as his email client. He 1058 configures Outlook to direct outbound mail through a SIN-aware proxy 1059 service. When Bob attempts to send mail to a strong email address 1060 for Alice, the proxy recognizes that the email address is a SIN and 1061 ensures that the necessary security enhancements are applied to meet 1062 the implicit security policy. 1064 3.4. Trust notary 1066 A Mesh trust notary is a chained notary service that accepts 1067 notarization requests from users and enrolls them in a publicly 1068 visible, tamper-evident, append-only log. 1070 The practices for operation of the trust notary are currently 1071 undefined but should be expected to follow the approach described 1072 above. 1074 The trust notary protocol provides support for establishing an 1075 internotary through cross certification. The append only log format 1076 is a DARE Container [draft-hallambaker-mesh-dare], the service 1077 protocol is currently in development. 1079 3.5. Endorsement 1081 An endorsement is a document submitted to a trust notary that 1082 includes a claim of the form 'public key X is held by user Y'. Mesh 1083 endorsements may be issued by CAs or by ordinary users. 1085 3.6. Evaluating trust 1087 One of the chief advantages of the World Wide Web over previous 1088 networked hypertext proposals was that it provided no means of 1089 searching for content. While the lack of a search capability was an 1090 obstacle to content discovery in the early Web, competing solutions 1091 to meeting this need were deployed, revised and replaced. 1093 The Mesh takes the same approach to evaluation of trust. The Mesh 1094 provides an infrastructure for expression of trust claims but is 1095 silent on their interpretation. As with the development of search 1096 for the Web, the evaluation of trust in the Mesh is left to the 1097 application of venture capital to deep AI. 1099 4. Conclusions 1101 This paper describes the principal approaches used to establish 1102 Internet trust, a means of evaluating them and a proposed successor. 1103 It now remains to determine the effectiveness of the proposed 1104 approach by attempting deployment. 1106 5. Security Considerations 1108 This document describes the means by which interparty identification 1109 risk is managed and controlled in the Mathematical Mesh. 1111 The security considerations for use and implementation of Mesh 1112 services and applications are described in the Mesh Security 1113 Considerations guide [draft-hallambaker-mesh-security]. 1115 6. Acknowledgements 1117 A list of people who have contributed to the design of the Mesh is 1118 presented in [draft-hallambaker-mesh-architecture]. 1120 7. Normative References 1122 [draft-hallambaker-mesh-architecture] 1123 Hallam-Baker, P., "Mathematical Mesh 3.0 Part I: 1124 Architecture Guide", Work in Progress, Internet-Draft, 1125 draft-hallambaker-mesh-architecture-16, 13 January 2021, 1126 . 1129 [draft-hallambaker-mesh-security] 1130 Hallam-Baker, P., "Mathematical Mesh 3.0 Part VII: 1131 Security Considerations", Work in Progress, Internet- 1132 Draft, draft-hallambaker-mesh-security-06, 2 November 1133 2020, . 1136 8. Informative References 1138 [Adrian2015] 1139 Adrian, D., "Weak Diffie-Hellman and the Logjam Attack", 1140 October 2015. 1142 [Bitcoin] Finley, K., "After 10 Years, Bitcoin Has Changed 1143 Everything?And Nothing", November 2018. 1145 [Diffie76] Diffie, W. and M. E. Hellman, "New Directions in 1146 Cryptography", November 1976. 1148 [draft-hallambaker-mesh-dare] 1149 Hallam-Baker, P., "Mathematical Mesh 3.0 Part III : Data 1150 At Rest Encryption (DARE)", Work in Progress, Internet- 1151 Draft, draft-hallambaker-mesh-dare-11, 13 January 2021, 1152 . 1155 [draft-hallambaker-mesh-udf] 1156 Hallam-Baker, P., "Mathematical Mesh 3.0 Part II: Uniform 1157 Data Fingerprint.", Work in Progress, Internet-Draft, 1158 draft-hallambaker-mesh-udf-12, 13 January 2021, 1159 . 1162 [Haber91] Haber, S. and W. S. Stornetta, "How to Time-Stamp a 1163 Digital Document", 1991. 1165 [Intel2018] 1166 Bell, L., "Intel delays 10nm Cannon Lake processors, 1167 again, until late 2019", July 2018. 1169 [Kohnfelder78] 1170 Kohnfelder, L. M., "Towards a Practical Public-Key 1171 Cryptosystem", May 1978. 1173 [Namecoin] Inc., N., "Namecoin Web Site", 2019. 1175 [Ratchet] Marlinspike, M. and T. Perrin, "The Double Ratchet 1176 Algorithm", November 2016. 1178 [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand 1179 Key Derivation Function (HKDF)", RFC 5869, 1180 DOI 10.17487/RFC5869, May 2010, 1181 . 1183 [RFC6246] Sajassi, A., Brockners, F., Mohan, D., and Y. Serbest, 1184 "Virtual Private LAN Service (VPLS) Interoperability with 1185 Customer Edge (CE) Bridges", RFC 6246, 1186 DOI 10.17487/RFC6246, June 2011, 1187 . 1189 [RFC6962] Laurie, B., Langley, A., and E. Kasper, "Certificate 1190 Transparency", RFC 6962, DOI 10.17487/RFC6962, June 2013, 1191 . 1193 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1194 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1195 . 1197 [Schneier2013] 1198 Schneier, B., "Defending Against Crypto Backdoors", 1199 October 2013. 1201 [Shannon1949] 1202 Shannon, C. E., "Communication Theory of Secrecy Systems", 1203 1949.