Interview: Prof. Gene Spafford, security researcher

Posted 8 Jan 2002 at 04:25 UTC by pkiforum Share This

We have published the second part of our interview with the prominent security researcher and educator, Prof. Gene Spafford (you can read part one if you missed it)

In the interview Spafford discusses a wide range of topics including:

  • the major challenges in information security
  • public key infrastructure adoption
  • public key infrastructure standards and interoperability issues
  • digital certificates and privacy
  • wireless security
  • issues surrounding key backup and recovery
  • key escrow
  • security education
  • certificate revocation and trust
  • the fraudulent VeriSign/Microsoft code-signing certificate incident
  • his views on the technological society
  • and predictions for the future.

Technology for the People, posted 8 Jan 2002 at 08:23 UTC by goingware » (Master)

I am impressed by Dr. Spafford's emphasis that technology should serve the needs of people as people, to make all our lives better, rather than being an end in itself.

How many of us can honestly say that computers have made our lives easier? Do you have more leisure hours than before PC's were commonplace?

The one thing I can say is that computers and the Internet have enabled me to work at home, in the country, but I'm afraid I don't have more leisure time than when I worked in an office! Much less!

Also, from the first part, Spafford emphasizes the problem of the average person not knowing that they should use secure machines, or how to do so. I have experienced this first hand, trying to get a friend (who is a very experienced programmer) to put a personal firewall on his PC connected to @home DSL. He just didn't see the point. If I can't convince another programmer to enable security, how can I convince someone who doesn't understand computers at all?

defaults, posted 8 Jan 2002 at 10:45 UTC by Malx » (Journeyer)

Why to convice anyone?!
There must be clever defaults in config settings... It's all.

In need for an free Identity Management daemon?, posted 8 Jan 2002 at 16:05 UTC by dannu » (Journeyer)

I studied and worked with cryptography-technologies a lot. I'd like to suggest an agenda for the ever repeating (cryptographic) security problems. First a little analysis (or rather my point of view :-)

  • making PKI trustfully work at the user level is difficult

  • if you have one identity (say one email address) and use a PKI managed Key for this, you completly loose anonymity. Therefore we need multiple identities which are a pain to manage at the moment (my brain is too limited for this)

  • having "security" in email and web-services is the first important step for (encryption) user-security at the moment

  • important: first security-schemes should satisfy and work for the experienced users/programmers. Only if that's successful (which can take years) then go for the mainstream. don't try to build a premature system aimed at working for anyone where it can't. See "crossing the chasm" by Geoffrey Moore for more details :-)

    To resolve these issues we need an Identity Management. This could be a simple-enough system daemon (ala ssh-agent) implementing the following scheme:

  • it runs always (like dns/smtpdaemons)

  • you can create as many identities as you like.

  • generate mail-aliases (or hotmail-accounts:-) on the fly

  • automatically generate public/private keys (GPG) for each identity

  • Some PKI is used at the system level not at the user level. At best we can construct a p2p web-of-trust network for this.

  • simple Interfaces in C/python/java/corba/xml-rpc/soap/whatever

  • patch email clients, ssh-agent and auto-formfills of browsers to use keys/infos from the identity-daemon

  • write a web-interface/gui to configure your identities and set your "current" identity.

    The nice thing is that many parts of this proposed scheme are already there, at least conceptually. There is proably no argument that this all has to be done with free software and must not be owned by any company.

    Doesn't this seem feasible? I am thinking about this a long time now. Finally i want to implement it. Please contact me if you are interested in any collaboration (e.g. a ml). holger at trillke net or go to a wiki for this if you like. or post comments or whatever...
  • New Advogato Features

    New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

    Keep up with the latest Advogato features by reading the Advogato status blog.

    If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

    Share this page