< draft-hallambaker-mesh-trust-00.txt   draft-hallambaker-mesh-trust-01.txt >
Network Working Group P. Hallam-Baker Network Working Group P. Hallam-Baker
Internet-Draft January 18, 2019 Internet-Draft April 4, 2019
Intended status: Informational Intended status: Informational
Expires: July 22, 2019 Expires: October 6, 2019
Mathematical Mesh Part IV: The Trust Mesh Mathematical Mesh Part VI: The Trust Mesh
draft-hallambaker-mesh-trust-00 draft-hallambaker-mesh-trust-01
Abstract Abstract
This paper extends Shannon's concept of a 'work factor' as applied to This paper extends Shannon's concept of a 'work factor' as applied to
evaluation of cryptographic algorithms to provide an objective evaluation of cryptographic algorithms to provide an objective
measure of the practical security offered by a protocol or measure of the practical security offered by a protocol or
infrastructure design. Considering the hypothetical work factor infrastructure design. Considering the hypothetical work factor
based on an informed estimate of the probable capabilities of an based on an informed estimate of the probable capabilities of an
attacker with unknown resources provides a better indication of the attacker with unknown resources provides a better indication of the
relative strength of protocol designs than the computational work relative strength of protocol designs than the computational work
skipping to change at page 1, line 35 skipping to change at page 1, line 35
social work factor allows evaluation of Certificate Authority based social work factor allows evaluation of Certificate Authority based
trust models and peer to peer (Web of Trust) models to be evaluated trust models and peer to peer (Web of Trust) models to be evaluated
in the same framework. The analysis demonstrates that both in the same framework. The analysis demonstrates that both
approaches have limitations and that in certain applications, a approaches have limitations and that in certain applications, a
blended model is superior to either by itself. blended model is superior to either by itself.
The final section of the paper describes a proposal to realize this The final section of the paper describes a proposal to realize this
blended model using the Mathematical Mesh. blended model using the Mathematical Mesh.
This document is also available online at This document is also available online at
http://mathmesh.com/Documents/draft-hallambaker-mesh- trust.html [1] http://mathmesh.com/Documents/draft-hallambaker-mesh-trust.html [1] .
.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 22, 2019. This Internet-Draft will expire on October 6, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 4 skipping to change at page 3, line 4
2.1.5. Chained notary . . . . . . . . . . . . . . . . . . . 18 2.1.5. Chained notary . . . . . . . . . . . . . . . . . . . 18
2.1.6. A blended approach . . . . . . . . . . . . . . . . . 19 2.1.6. A blended approach . . . . . . . . . . . . . . . . . 19
3. The Mesh of Trust . . . . . . . . . . . . . . . . . . . . . . 21 3. The Mesh of Trust . . . . . . . . . . . . . . . . . . . . . . 21
3.1. Master Profile . . . . . . . . . . . . . . . . . . . . . 21 3.1. Master Profile . . . . . . . . . . . . . . . . . . . . . 21
3.2. Uniform Data Fingerprints . . . . . . . . . . . . . . . . 21 3.2. Uniform Data Fingerprints . . . . . . . . . . . . . . . . 21
3.3. Strong Internet Names . . . . . . . . . . . . . . . . . . 22 3.3. Strong Internet Names . . . . . . . . . . . . . . . . . . 22
3.4. Trust notary . . . . . . . . . . . . . . . . . . . . . . 23 3.4. Trust notary . . . . . . . . . . . . . . . . . . . . . . 23
3.5. Endorsement . . . . . . . . . . . . . . . . . . . . . . . 23 3.5. Endorsement . . . . . . . . . . . . . . . . . . . . . . . 23
3.6. Evaluating trust . . . . . . . . . . . . . . . . . . . . 23 3.6. Evaluating trust . . . . . . . . . . . . . . . . . . . . 23
4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 24 4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 24
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 5. Security Considerations . . . . . . . . . . . . . . . . . . . 24
5.1. Informative References . . . . . . . . . . . . . . . . . 24 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 24
5.2. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 25 6.1. Normative References . . . . . . . . . . . . . . . . . . 24
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 25 6.2. Informative References . . . . . . . . . . . . . . . . . 24
6.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 26
1. Work Factor 1. Work Factor
Recent events have highlighted both the need for open standards-based Recent events have highlighted both the need for open standards-based
security protocols and the possibility that the design of such security protocols and the possibility that the design of such
protocols may have been sabotaged [Schneier2013] . We thus face two protocols may have been sabotaged [Schneier2013] . We thus face two
important and difficult challenges, first to design an Internet important and difficult challenges, first to design an Internet
security infrastructure that offers practical security against the security infrastructure that offers practical security against the
class of attacks revealed, and secondly, to convince potential users class of attacks revealed, and secondly, to convince potential users
that the proposed new infrastructure has not been similarly that the proposed new infrastructure has not been similarly
skipping to change at page 3, line 44 skipping to change at page 3, line 46
One of Shannon's key insights was that the work factor of a One of Shannon's key insights was that the work factor of a
cryptographic algorithm could be exponential. Adding a single bit to cryptographic algorithm could be exponential. Adding a single bit to
the key size of an ideal symmetric algorithm presents only a modest the key size of an ideal symmetric algorithm presents only a modest
increase in computational effort for the defender but doubles the increase in computational effort for the defender but doubles the
work factor for the attacker. work factor for the attacker.
More precisely, the difficulty of breaking a cryptographic algorithm More precisely, the difficulty of breaking a cryptographic algorithm
is generally measured by the work-factor ratio. If the cost of is generally measured by the work-factor ratio. If the cost of
encrypting a block with 56-bit DES is x, the worst case cost of encrypting a block with 56-bit DES is x, the worst case cost of
recovering the key through a brute force attack is 256x. The recovering the key through a brute force attack is 2^56x. The
security of DES has changed over time because x has fallen security of DES has changed over time because x has fallen
exponentially. exponentially.
While the work factor is traditionally measured in terms of the While the work factor is traditionally measured in terms of the
number of operations, many cryptanalytic techniques permit memory number of operations, many cryptanalytic techniques permit memory
used to be traded for computational complexity. An attack requiring used to be traded for computational complexity. An attack requiring
264 bytes of memory that reduces the number of operations required to 2^64 bytes of memory that reduces the number of operations required
break a 128 bit cipher to 264 is a rather lower concern than one to break a 128 bit cipher to 2^64 is a rather lower concern than one
which reduces the number of operations to 280. The term 'cost' is which reduces the number of operations to 2^80. The term 'cost' is
used to gloss over such distinctions. used to gloss over such distinctions.
The Computational Work Factor ratio WF-C (A) of a cryptographic The Computational Work Factor ratio WF-C (A) of a cryptographic
algorithm A, is the cost of the best-known attack divided by the cost algorithm A, is the cost of the best-known attack divided by the cost
of the algorithm itself. of the algorithm itself.
1.2. Hypothetical Work Factor 1.2. Hypothetical Work Factor
Modern cryptographic algorithms use keys of 128 bits or more and Modern cryptographic algorithms use keys of 128 bits or more and
present a work factor ratio of 2128 against brute force attack. This present a work factor ratio of 2^128 against brute force attack.
work factor is at least 272 times higher than DES and comfortably This work factor is at least 2^72 times higher than DES and
higher than the work factor of 280 operations that is generally comfortably higher than the work factor of 2^80 operations that is
believed to be the practical limit to current attacks. generally believed to be the practical limit to current attacks.
Though Moore's law has delivered exponential improvements in Though Moore's law has delivered exponential improvements in
computing performance over the past four decades, this has been computing performance over the past four decades, this has been
achieved through continual reductions in the minimum feature size of achieved through continual reductions in the minimum feature size of
VLSI circuits. As the minimum feature size rapidly approaches the VLSI circuits. As the minimum feature size rapidly approaches the
size of individual atoms, this mechanism has already begun to stall size of individual atoms, this mechanism has already begun to stall
[Intel2018] . [Intel2018] .
While an exceptionally well-resourced attacker may gain performance While an exceptionally well-resourced attacker may gain performance
advances through use of massive parallelism, faster clock rates made advances through use of massive parallelism, faster clock rates made
skipping to change at page 5, line 8 skipping to change at page 5, line 10
likely capabilities. In particular, it is the capabilities of likely capabilities. In particular, it is the capabilities of
nation-state actors that generally give rise to greatest concern in nation-state actors that generally give rise to greatest concern in
security protocol design. In this paper we refer to this set of security protocol design. In this paper we refer to this set of
actors as nation-state class adversaries in recognition of the fact actors as nation-state class adversaries in recognition of the fact
that certain technology companies posses computing capabilities that that certain technology companies posses computing capabilities that
rival if not exceed those of the largest state actors and those rival if not exceed those of the largest state actors and those
capabilities could at least in theory be co-opted for other purposes capabilities could at least in theory be co-opted for other purposes
in certain circumstances. in certain circumstances.
The probability that a nation-state class has discovered an attack The probability that a nation-state class has discovered an attack
against AES-128 with a work factor ratio of 2120 might be considered against AES-128 with a work factor ratio of 2^120 might be considered
relatively high while the probability that an attack with a work relatively high while the probability that an attack with a work
factor ratio of less than 264 is very low. factor ratio of less than 2^64 is very low.
We define the hypothetical work factor function WF-H (A, p) as We define the hypothetical work factor function WF-H (A, p) as
follows: If WF is a work factor ratio and p is an informed estimate follows: If WF is a work factor ratio and p is an informed estimate
of the probability that an adversary has developed an attack with a of the probability that an adversary has developed an attack with a
work factor ratio against algorithm A of WF or less then WF-H (A, p) work factor ratio against algorithm A of WF or less then WF-H (A, p)
= WF. = WF.
Since the best-known public attack is known to the attacker, WF-H (A, Since the best-known public attack is known to the attacker, WF-H (A,
1) = CWF (A) 1) = _CWF (A)
The inverse function WF-H' (A, WF) returns the estimated probability The inverse function WF-H' (A, WF) returns the estimated probability
that the work factor of algorithm A is at least WF. that the work factor of algorithm A is at least WF.
The hypothetical work factor and its inverse may be used to compare The hypothetical work factor and its inverse may be used to compare
the relative strengths of protocol designs. Given designs A and B, the relative strengths of protocol designs. Given designs A and B,
we can state that B is an improvement on A if WF-H (A,p) > WF-H (B,p) we can state that B is an improvement on A if WF-H (A,p) > WF-H (B,p)
for all p. for all p.
When considering a protocol or infrastructure design we can thus When considering a protocol or infrastructure design we can thus
skipping to change at page 7, line 12 skipping to change at page 7, line 15
For example, consider the case in which a choice between a single For example, consider the case in which a choice between a single
security control and a defense in depth strategy is being considered: security control and a defense in depth strategy is being considered:
o Option A: Uses algorithm X for protection. o Option A: Uses algorithm X for protection.
o Option B: Uses a combination of algorithm X and algorithm Y for o Option B: Uses a combination of algorithm X and algorithm Y for
protection such that the attacker must defeat both to break the protection such that the attacker must defeat both to break the
system and algorithms based on different cryptographic principles system and algorithms based on different cryptographic principles
are chosen so as to minimize the risk of a common failure mode. are chosen so as to minimize the risk of a common failure mode.
If the computational work factor for both algorithms X and Y is 2128, If the computational work factor for both algorithms X and Y is
both options present the same work factor ratio. Although Option B 2^128, both options present the same work factor ratio. Although
offers twice the security, it also requires twice the work. Option B offers twice the security, it also requires twice the work.
The argument that normally wins is that both options present the same The argument that normally wins is that both options present the same
computational work factor ratio of 2128, Option A is simpler and computational work factor ratio of 2^128, Option A is simpler and
therefore Option A should be chosen. This despite the obvious fact therefore Option A should be chosen. This despite the obvious fact
that only Option B offers defense in depth. that only Option B offers defense in depth.
If we consider the adversary of being capable of performing a work If we consider the adversary of being capable of performing a work
factor ratio of 280 and the probability the attacker has discovered factor ratio of 2^80 and the probability the attacker has discovered
an attack capable of breaking algorithms X and Y to be 10% in each an attack capable of breaking algorithms X and Y to be 10% in each
case, the probability that the attacker can break Option A is 10% case, the probability that the attacker can break Option A is 10%
while the probability that an attack on Option B is only 1%, a while the probability that an attack on Option B is only 1%, a
significant improvement. significant improvement.
While Option B clearly offers a significant potential improvement in While Option B clearly offers a significant potential improvement in
security, this improvement is only fully realized if the security, this improvement is only fully realized if the
probabilities of a feasible attack are independent. probabilities of a feasible attack are independent.
1.5. Mutual Reinforcement 1.5. Mutual Reinforcement
The defense in depth approach affords a significant improvement in The defense in depth approach affords a significant improvement in
security but an improvement that is incremental rather than security but an improvement that is incremental rather than
exponential in character. With mutual reinforcement we design the exponential in character. With mutual reinforcement we design the
mechanism such that in addition to requiring the attacker to break mechanism such that in addition to requiring the attacker to break
each of the component algorithms, the difficulty of the attacks is each of the component algorithms, the difficulty of the attacks is
increased. increased.
For example, consider the use of a Deterministic Random Number For example, consider the use of a Deterministic Random Number
Generator R(s,n) which returns a sequence of values R(s,1), R(s,2)? Generator R(s,n) which returns a sequence of values R(s,1), R(s,2)...
from an initial seed s. from an initial seed s.
Two major concerns in the design of such generators are the Two major concerns in the design of such generators are the
possibility of bias and that the seed value be somehow leaked through possibility of bias and that the seed value be somehow leaked through
a side channel. a side channel.
Both concerns are mitigated if instead of using the output of one Both concerns are mitigated if instead of using the output of one
generator directly, two independent random number generators with generator directly, two independent random number generators with
distinct seeds are used. distinct seeds are used.
skipping to change at page 8, line 46 skipping to change at page 9, line 4
attack, the concern is not just whether an individual communication attack, the concern is not just whether an individual communication
might be compromised but the number of communications that may be might be compromised but the number of communications that may be
compromised for a given amount of effort. compromised for a given amount of effort.
'Perfect' Forward Secrecy is an optional feature supported in IPSec 'Perfect' Forward Secrecy is an optional feature supported in IPSec
and TLS. In 2008, implementations of TLS/1.2 [RFC6246] purported to and TLS. In 2008, implementations of TLS/1.2 [RFC6246] purported to
offer a choice between: offer a choice between:
Direct key exchange with a work factor dependent on the difficulty of Direct key exchange with a work factor dependent on the difficulty of
breaking RSA 2048 breaking RSA 2048
Direct key exchange followed by a perfect forward secrecy exchange Direct key exchange followed by a perfect forward secrecy exchange
with a work factor dependent on the difficulty of breaking both RSA with a work factor dependent on the difficulty of breaking both RSA
2048 and DH 1024. 2048 and DH 1024.
Using the computational work factor alone suggests that the second Using the computational work factor alone suggests that the second
scheme has little advantage over the first since the computational scheme has little advantage over the first since the computational
work factor of Diffie Hellman using the best-known techniques 280 work factor of Diffie Hellman using the best-known techniques 2^80
while the computational work factor for RSA 2048 is 2112. Use of the while the computational work factor for RSA 2048 is 2^112. Use of
perfect forward secrecy exchange has a significant impact on server the perfect forward secrecy exchange has a significant impact on
performance but does not increase the difficulty of cryptanalysis. server performance but does not increase the difficulty of
cryptanalysis.
Use of perfect forward secrecy with a combination of RSA and Diffie Use of perfect forward secrecy with a combination of RSA and Diffie
Hellman does not provide a significant improvement in the Hellman does not provide a significant improvement in the
hypothetical work factor either if individual messages are hypothetical work factor either if individual messages are
considered. The RSA and Diffie Hellman systems are closely related considered. The RSA and Diffie Hellman systems are closely related
and so an attacker that can break RSA 2048 can almost certainly break and so an attacker that can break RSA 2048 can almost certainly break
RSA 1024. Moreover, computational work factor for DH 1024 is only RSA 1024. Moreover, computational work factor for DH 1024 is only
280 and thus feasibly within the reach of a well-funded and 2^80 and thus feasibly within the reach of a well-funded and
determined attacker. determined attacker.
According to the analysis informally applied during design, use of According to the analysis informally applied during design, use of
perfect forward secrecy does provide an important security benefit perfect forward secrecy does provide an important security benefit
when multiple messages are considered. While a sufficiently funded when multiple messages are considered. While a sufficiently funded
and determined attacker could conceivably break tens, hundreds or and determined attacker could conceivably break tens, hundreds or
even thousands of DH 1024 keys a year, it is rather less likely that even thousands of DH 1024 keys a year, it is rather less likely that
an attacker could break millions a year. The OCSP servers operated an attacker could break millions a year. The OCSP servers operated
by Comodo CA receive over 2 billion hits a day and this represents by Comodo CA receive over 2 billion hits a day and this represents
only a fraction of the number of uses of TLS on the Internet. Use of only a fraction of the number of uses of TLS on the Internet. Use of
skipping to change at page 10, line 5 skipping to change at page 10, line 11
exploits the fact that the difficulty of breaking the discrete exploits the fact that the difficulty of breaking the discrete
logarithm involves four major steps, the first three of which are the logarithm involves four major steps, the first three of which are the
most computationally intensive and only depend on the shared group most computationally intensive and only depend on the shared group
parameters. The cost of breaking a hundred Diffie Hellman public parameters. The cost of breaking a hundred Diffie Hellman public
keys is not a hundred times the cost of breaking a single key, there keys is not a hundred times the cost of breaking a single key, there
is almost no difference. is almost no difference.
Work factor analysis exposes these flaws in the design of the Work factor analysis exposes these flaws in the design of the
TLS/1.2. Since the session keys used to encrypt traffic do not TLS/1.2. Since the session keys used to encrypt traffic do not
depend on knowing the secret established in the RSA2048 exchange, the depend on knowing the secret established in the RSA2048 exchange, the
work factor of the protocol is the lesser of 280 and 2112. work factor of the protocol is the lesser of 2^80 and 2^112.
A simple means of ensuring that the work factor of a protocol is not A simple means of ensuring that the work factor of a protocol is not
reduced by a fresh key exchange is to use a one-way function such as reduced by a fresh key exchange is to use a one-way function such as
a cryptographic digest or a key exchange to combine the output of the a cryptographic digest or a key exchange to combine the output of the
prior exchange with its successor. This principle is employed in the prior exchange with its successor. This principle is employed in the
double ratchet algorithm [Ratchet] used in the Signal protocol. In double ratchet algorithm [Ratchet] used in the Signal protocol. In
the Mesh, the HKDF Key Derivation function [RFC5869] is frequently the Mesh, the HKDF Key Derivation function [RFC5869] is frequently
used for the same purpose. used for the same purpose.
The work factor downgrade issue was addressed in TLS/1.3 [RFC8446] The work factor downgrade issue was addressed in TLS/1.3 [RFC8446]
skipping to change at page 13, line 39 skipping to change at page 13, line 45
Introducing a backdoor into a HSM, application or operating system Introducing a backdoor into a HSM, application or operating system
platform requires that every person with access to the platform platform requires that every person with access to the platform
source or who might be called in to audit the code be a party to the source or who might be called in to audit the code be a party to the
conspiracy. Tapping the fiber optic cables that support the Internet conspiracy. Tapping the fiber optic cables that support the Internet
backbone requires only a small work crew and digging equipment. backbone requires only a small work crew and digging equipment.
Maintaining a covert backdoor in a major operating system platform Maintaining a covert backdoor in a major operating system platform
would require hundreds if not thousands of engineers to participate would require hundreds if not thousands of engineers to participate
in the conspiracy. in the conspiracy.
The Social Work Factor SWF(t) is a measure of the cost of The Social Work Factor _SWF(t) is a measure of the cost of
establishing a fraud in a conspiracy starting at date t. The cost is establishing a fraud in a conspiracy starting at date t. The cost is
measured in the number of actions that the party perpetrating the measured in the number of actions that the party perpetrating the
fraud must perform that carry a risk of exposure. fraud must perform that carry a risk of exposure.
In general, the Social Work Factor will increase over time. In general, the Social Work Factor will increase over time.
Perpetrating a fraud claiming that the Roman emperor Nero never Perpetrating a fraud claiming that the Roman emperor Nero never
existed today would require that millions of printed histories be existed today would require that millions of printed histories be
erased and rewritten, every person who has ever taught or taken a erased and rewritten, every person who has ever taught or taken a
lesson in Roman history would have to participate in the fraud. The lesson in Roman history would have to participate in the fraud. The
Social Work Factor would be clearly prohibitive. Social Work Factor would be clearly prohibitive.
The Social Work Factor in the immediate aftermath of Nero's The Social Work Factor in the immediate aftermath of Nero's
assassination in 68 would have been considerably lower. While the assassination in 68 would have been considerably lower. While the
emperor Nero was obviously not erased from history, this did happen emperor Nero was obviously not erased from history, this did happen
to Akhenaten, an Egyptian pharaoh of the 18th dynasty whose monuments to Akhenaten, an Egyptian pharaoh of the 18^th dynasty whose
were dismantled, statues destroyed, and his name erased from the monuments were dismantled, statues destroyed, and his name erased
lists of kings. from the lists of kings.
1.8.1. Related work 1.8.1. Related work
It has not escaped the notice of the author that the social work It has not escaped the notice of the author that the social work
factor might be applied as a general metric for assessing the factor might be applied as a general metric for assessing the
viability of a conspiracy hypothesis. viability of a conspiracy hypothesis.
Applying social work factor analysis to the moon landing conspiracy Applying social work factor analysis to the moon landing conspiracy
theory we note that almost all of the tens of thousands of NASA theory we note that almost all of the tens of thousands of NASA
employees who worked on the Apollo project would have had to be a employees who worked on the Apollo project would have had to be a
skipping to change at page 22, line 8 skipping to change at page 22, line 8
3.2. Uniform Data Fingerprints 3.2. Uniform Data Fingerprints
Direct trust in the Mesh is realized through use of Uniform Data Direct trust in the Mesh is realized through use of Uniform Data
Fingerprints (UDF) [draft-hallambaker-udf] . A UDF consists of a Fingerprints (UDF) [draft-hallambaker-udf] . A UDF consists of a
cryptographic digest (e.g. SHA-2-512) over a data sequence and a cryptographic digest (e.g. SHA-2-512) over a data sequence and a
content type identifier. content type identifier.
UDFs are presented as a Base32 encoded sequence with separators every UDFs are presented as a Base32 encoded sequence with separators every
25 characters. UDFs may be presented at different precisions 25 characters. UDFs may be presented at different precisions
according to the intended use. The 25-character presentation according to the intended use. The 25-character presentation
provides a work factor of 2117 and is short enough to put on a provides a work factor of 2^117 and is short enough to put on a
business card or present as a QR code. The 50-character presentation business card or present as a QR code. The 50-character presentation
provides a work factor of 2242 and is compact enough to be used in a provides a work factor of 2^242 and is compact enough to be used in a
configuration file. configuration file.
For example, the UDF of the text/plain sequence "UDF Data Value" may For example, the UDF of the text/plain sequence "UDF Data Value" may
be presented in either of the following forms: be presented in either of the following forms:
MDDK7-N6A72-7AJZN-OSTRX-XKS7D MDDK7-N6A72-7AJZN-OSTRX-XKS7D
MDDK7-N6A72-7AJZN-OSTRX-XKS7D-JAFXI-6OZSL-U2VOA-TZQ6J-MHPTS MDDK7-N6A72-7AJZN-OSTRX-XKS7D-JAFXI-6OZSL-U2VOA-TZQ6J-MHPTS
Figure 1
The UDF of a user's master profile signature key is used as a The UDF of a user's master profile signature key is used as a
persistent, permanent identifier of the user that is unique to them persistent, permanent identifier of the user that is unique to them
and will remain constant for their entire life unless they have and will remain constant for their entire life unless they have
reason to replace their master profile with a new one. The exchange reason to replace their master profile with a new one. The exchange
of master profile UDFs is the means by which Mesh users establish of master profile UDFs is the means by which Mesh users establish
direct trust. direct trust.
3.3. Strong Internet Names 3.3. Strong Internet Names
A Strong Internet name (SIN) [draft-hallambaker-sin] is a valid A Strong Internet name (SIN) [draft-hallambaker-sin] is a valid
skipping to change at page 24, line 12 skipping to change at page 24, line 12
for the Web, the evaluation of trust in the Mesh is left to the for the Web, the evaluation of trust in the Mesh is left to the
application of venture capital to deep AI. application of venture capital to deep AI.
4. Conclusions 4. Conclusions
This paper describes the principal approaches used to establish This paper describes the principal approaches used to establish
Internet trust, a means of evaluating them and a proposed successor. Internet trust, a means of evaluating them and a proposed successor.
It now remains to determine the effectiveness of the proposed It now remains to determine the effectiveness of the proposed
approach by attempting deployment. approach by attempting deployment.
5. References 5. Security Considerations
5.1. Informative References This document describes the means by which interparty identification
risk is managed and controlled in the Mathematical Mesh.
The security considerations for use and implementation of Mesh
services and applications are described in the Mesh Security
Considerations guide [draft-hallambaker-mesh-security] .
6. References
6.1. Normative References
[draft-hallambaker-mesh-security]
"[Reference Not Found!]".
6.2. Informative References
[Adrian2015] [Adrian2015]
Adrian, D., "Weak Diffie-Hellman and the Logjam Attack", Adrian, D., "Weak Diffie-Hellman and the Logjam Attack",
October 2015. October 2015.
[Bitcoin] Finley, K., "After 10 Years, Bitcoin Has Changed [Bitcoin] Finley, K., "After 10 Years, Bitcoin Has Changed
Everything?And Nothing", November 2018. Everything?And Nothing", November 2018.
[Diffie76] [Diffie76]
Diffie, W. and M. Hellman, "New Directions in Diffie, W. and M. Hellman, "New Directions in
skipping to change at page 24, line 52 skipping to change at page 25, line 17
[Intel2018] [Intel2018]
Bell, L., "Intel delays 10nm Cannon Lake processors, Bell, L., "Intel delays 10nm Cannon Lake processors,
again, until late 2019", July 2018. again, until late 2019", July 2018.
[Kohnfelder78] [Kohnfelder78]
Kohnfelder, L., "Towards a Practical Public-Key Kohnfelder, L., "Towards a Practical Public-Key
Cryptosystem", May 1978. Cryptosystem", May 1978.
[Namecoin] [Namecoin]
"Namecoin Web Site", 2019. Inc., N., "Namecoin Web Site", 2019.
[Ratchet] Marlinspike, M. and T. Perrin, "The Double Ratchet [Ratchet] Marlinspike, M. and T. Perrin, "The Double Ratchet
Algorithm", November 2016. Algorithm", November 2016.
[RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
Key Derivation Function (HKDF)", RFC 5869, Key Derivation Function (HKDF)", RFC 5869,
DOI 10.17487/RFC5869, May 2010. DOI 10.17487/RFC5869, May 2010.
[RFC6246] Sajassi, A., Brockners, F., Mohan, D., and Y. Serbest, [RFC6246] Sajassi, A., Brockners, F., Mohan, D., and Y. Serbest,
"Virtual Private LAN Service (VPLS) Interoperability with "Virtual Private LAN Service (VPLS) Interoperability with
skipping to change at page 25, line 31 skipping to change at page 25, line 45
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018. Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018.
[Schneier2013] [Schneier2013]
Schneier, B., "Defending Against Crypto Backdoors", Schneier, B., "Defending Against Crypto Backdoors",
October 2013. October 2013.
[Shannon1949] [Shannon1949]
Shannon, C., "Communication Theory of Secrecy Systems", Shannon, C., "Communication Theory of Secrecy Systems",
1949. 1949.
5.2. URIs 6.3. URIs
[1] http://mathmesh.com/Documents/draft-hallambaker-mesh- trust.html [1] http://mathmesh.com/Documents/draft-hallambaker-mesh-trust.html
Author's Address Author's Address
Phillip Hallam-Baker Phillip Hallam-Baker
Email: phill@hallambaker.com Email: phill@hallambaker.com
 End of changes. 30 change blocks. 
48 lines changed or deleted 61 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/