Friday
I watched Drew playing NetHack during a slow moment in the FSG booth, and he and I traded NetHack tips. He might be the most knowledgeable NetHack player I know; unlike me, he regularly consults spoilers and source code.
Duncan and Drew and I went out for lunch to a street fair/farmers' market which was in progress right outside the convention center. There was some nice stuff on sale; I got a black and white cookie and some Indian food (samosas, naan, and an interesting chutney).
Drew had organized a PGP BOF session which was billed as a keysigning. Manoj of Manoj's Key-Signing Protocol fame was to be there -- and so, the rumor went, was Phil Zimmermann.
I helped Drew print out the key fingerprint sheet in the conference office, and as we were working on stapling them together, a man walked up, looking for all the world like the pictures of Phil Zimmermann you see in the magazines.
Man: Hi, can you tell me where the BOF sessions will be?Seth: Up that escalator, turn right, past the elevators, up the stairs, around the corner, through the door, and then find the room you're looking for. [Yes, that is actually how you get to the hotel's meeting rooms from the convention center lobby.]
Man: Do you know which room the PGP BOF is in?
Seth: I think the Oakland room -- that's his BOF [points at Drew].
Drew: That's me. It starts at seven.
Man: What's going on until then? Are there other BOF sessions?
Drew: There's the historian --
Seth: Yeah, Peter Salus, who wrote A Quarter Century of UNIX, is speaking over in that ballroom [points down hallway] about the ten years, the ten year history of Linux, since 1991. That should be interesting. We just have to get ready for the keysigning.
[Man walks toward ballroom; we continue stapling. After a minute or two, he comes back up to the table.]
Man: What's the PGP BOF about? Is it just a keysigning?
Drew: Actually, we're going to have a keysigning, but I thought I'd start out at the beginning with a brief introduction, about fifteen minutes, explaining the concepts of keysigning, the keysigning protocol, what public key cryptography is all about, for the benefit of people who haven't been to one of these before.
Man: Is there time for any general discussion of PGP?
Drew: Well, I thought we could take about 30 to 40 minutes before the keysigning for social stuff, for issues about the uses of PGP. So we might have the social and general part first, and then move into a keysigning. We're hoping that Phil Zimmermann will come.
Man: [Raises hand.] That's me.
Phil and Drew proceeded to have a very interesting conversation about PGP, which drew a small crowd -- everyone nearby who'd heard Phil identify himself as Phil Zimmermann -- and when it was about time for the BOF, we wandered upstairs and Phil walked off briefly to get some dinner.
The BOF session was packed, partly because people have such a fierce competition to improve their keyanalyze rankings, and partly because they heard Phil would be there. He gave a long disquisition on the recent history of PGP (and his experiences at NAI), with his speculations on the future of the software now that NAI is getting rid of it. It was very colorful and very interesting and probably all new to the people there -- technical experts and hard-core cryptography enthusiasts though they were -- because they were all in the free software orbit, GNU users, and hadn't been following the adventures of the original commercial code base.
Phil took a number of questions and asked the audience not to publish some of his answers -- so I won't. As I was about to ask Phil opinion of Brad Templeton's e-mail encryption idea, Phil mentioned the very problem Brad identifies in his essay: e-mail encryption is too hard for most people to use, or at least more trouble than they think it's worth. (It might be better to say that most computer users could learn, and could do it, but they don't make a priority of it, because it doesn't seem beneficial enough to them.)
The biggest problem, Brad and Phil observe, is that key infrastructure is such a pain; most prospective users don't understand it at all, and in any case aren't willing to go through the steps involving fingerprints and fingerprint verification and looking at trust paths and so forth. They probably would be willing to do a one-time step to generate a key, but then they would expect other people to be able to get and use that key automatically, transparently, without any additional steps. And we all know that this is impossible, but Brad insists that it's got to happen if the general public is going to use cryptography. (He doesn't even endorse the idea that a user would be willing to explicitly generate a keypair in the first place.) Now, Phil and Brad suggest that perhaps this problem could be addressed by streamlining and automating key exchanges...
Manoj and Phil got into a notable argument at this point in Phil's talk. Manoj is well known for thinking that most users of cryptography don't do enough thinking about security precautions. (He suggestions physical isolation for machines which store private keys -- not connecting them to a network -- as well as the use of more stringent key-signing protocols, and more attention to the details of key validity and trust paths.)
So here Phil started to talk about threat models and how uncommon were MITM attacks and how useful PGP might be to the general public even without the whole web of trust. And Manoj was just shocked; you could see it. He asked, in a very polite and reasonable way, why it was necessary to undermine the security that PGP was capable of attaining. He didn't see the benefit.
Phil and Manoj went back and forth on this for a bit and clarified that they were talking about distinct ways of using the technology; there was a certain trade-off between security and convenience and Manoj did not want to give up any security. Phil maintained that some users would want to give up some security so that they could use cryptography at all -- otherwise they wouldn't get any of its benefits. He's always been very keen on spreading "encryption's bounty" (as the Ninth Circuit described it in the Bernstein case) as far and wide as possible.
Phil's specific proposed solution is different from Brad's -- Phil is talking about a "robot CA" which performs an automated protocol to verify that a certain private key is owned by someone who also has control over (can send and receive mail using) a certain e-mail address. It doesn't verify identities, just the mapping between e-mail addresses and keys. (So, for example, the robot CA could verify that this key 0167CA38 with a certain fingerprint does belong to the person who reads mail at schoen@loyalty.org -- but not that the person who reads mail at that address actually is Seth Schoen. The former assurance is good enough for many purposes, e.g. when you only know somebody through e-mail, or when you have an out-of-band way to verify somebody's e-mail address.)
After this discussion, Phil went home, and we did a keysigning. Manoj didn't sign my key (because I don't have government issued photo ID) and everyone else did (because I showed them my bank cards and stuff, and many of them knew me from other contexts). After the keysigning, many of us went to dinner at the Thai restaurant across the street from the convention center. It's really delicious.
One great thing was that two high school students were there. I already knew both of them from before, so it's not that the pool of high school students who are into free software is necessarily expanding rapidly. But I just thought that going to something like ALS was exactly the kind of thing I would have loved to do in high school.
As it turned out, though, I also loved the things I did do in high school.
