Re: Scope for self-destructing email?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a problem I have been considering for some time. And everyone in this thread is right. Right on the facts at least. Most are wrong on the implications.

When the Web was launched in 1992, it was dismissed by the network hypertext crowd because it did not solve the problem of referential transparency that Ted Nelson insisted was really really important. It was not, the Web worked fine with 404 not found. In fact it didn't work fine, it worked better.

It was this insight that led me to propose Confidential Document Control (CDC) as a subset of the Digital Rights Management (DRM) Problem. I have a draft if you are interested in the math or just like looking at the pretty SVG pictures we can use in HTML:



​What I realized was that there are two difficult problems in the DRM problem:

1) Restricting initial distribution of confidential data ​to the set of authorized parties.

2) Preventing disclosure by authorized parties to others.

These are both challenging technical problems that cannot be solved with the cryptographic toolset used in OpenPGP and S/MIME. Mesh/Recrypt addresses the first. It uses cryptography that can be understood by high school students but it is cryptography that nobody had worked out how to apply in practice that way until now[1].

​Solving the first problem really wasn't impossible. I am pretty sure that many others could have done what I have. But I rather suspect the reason they did not is that the whole field of DRM has been poisoned by two facts:

1) ​ Preventing disclosure by authorized parties to others requires the use of trustworthy hardware and no hardware is 100% trustworthy.

2) The whole field of DRM has been poisoned by anti-copyright enforcement ideology.

​The problem that began this thread, 'burn after 24 hours' is simply another type of attribute ​describing a restriction we wish to enforce on the use of the document.

​At the moment, Mesh/Recrypt is deliberately limited to solving only the first part of the CRM problem. It only addresses the initial distribution of the documents. This is the subset I call Confidential Document Control. One reason for this limitation is that authorization policy languages is a whole different patent minefield to navigate. But the other is that I get 95% of the ​value of a full DRM system with just my CDC component.

Consider recent US government breaches:

* Did Snowden need to read any of the Powerpoint files?
* Did Chelsea Manning need to have access to 250,000 cables?
* Did everyone working in the CIA need access to the website with the malware tools?
* Should the Secretary of State have reasonably considered the GSA mail services secure when it is likely thousands of personnel and contractors had access to them?

​When we drill down, the number of leaks by a person with a need to know the material in question is a tiny ​fraction of the people who have access today. Without a practical, standards based means of performing data level encryption, the leaks are going to continue. 

It is the same in the enterprise. While it is possible that the criminal gangs that attacked HBO to leak Game of Thrones did so by suborning an insider, it is vastly more likely that they compromised a machine on the corporate network and leveraged it. CDC rather than full DRM would almost certainly have been sufficient.


So what then of DRM? Am I saying it has absolutely no use? Absolutely not. Because security is risk control, not risk elimination. It is not necessary to provide an absolute guarantee that the data will not leak in any possible circumstance to provide value. Trustworthy hardware does not need to be 100% trustworthy to provide useful risk control in the enterprise. 

In fact, there is only one area in which DRM has to be 100% and that is copyright enforcement and that is because it is break once run anywhere. So I can certainly help HBO stop their shows leaking before show date but I am not going to promise anything after they have shared their secret with ten million of their closest friends. 

For early adopter purposes, the hardware used to distribute material need not be any more trustworthy than an iPad Pro. Of course you or I or any number of folk could probably work out how to bypass that level of security given physical access to the device. But the fact is that what most people want is for the machine to help them not leak stuff accidentally. They have absolutely no intention of jailbreaking their corporate phone or tablet.


So here is what I propose. Let us start this journey by working on a solution to the CDC part of the problem. Which will take us some time. Solving the CDC problem is a subset of the enterprise DRM problem. 

And if we win, then its like pinball - you win, you get to play again. Adding a security policy language to describe permitted uses is a trivial engineering task. The hard part would be the prior art search.

​PHB​


​[1] Well I hope this is the case as I am going to be doing just that later this year.​


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]