Binding cryptography - much work, little point ?

[peter.allan@aeat.co.uk (Peter M Allan)]

Eric_Verheul writes:

> In our scheme any third party, which is probably never a TRP, can check
> equality of the sessionkeys send to the primary recipient (the TRP) and
> the second recipient (the real adressee), i.e. *without* needing secret

So could anyone anyway by asking the TRP.  The TRP returns a Yes/No
answer, withou disclosing the session key.  Is your binding scheme motivated mainly
by avoiding that workload on the TRP ?  Or by the fact that everybody might
prefer a different TRP ?

I suspect the scheme is incomplete anyway.  After skimming the web page I
see that the aim is to show the same session key has been encrypted under
different ElGamal pubkeys.  Now who's to say those pubkeys belong to anyone ?
Or is this what is meant by "such as Margaret's identity" ?  You'd list the
ids of the TRPs and also prove that the pubkeys used were theirs ....  ?


Now to the politics...

E__Allen_Smith writes:

> Quite simply, you've invented a system that makes censorship more
> possible. As a scientist, I try to avoid areas that have such negative
> effects

The usual Big Problems for GAK 

  1)  What's in it for the user ?
  2)  What happens when the Feds recover meaningless data ?

2 does not seem to be addressed except by proposing restrictions
which Eric dismisses as follows:

Adam Back:
    >system because their stated aims are untrue: they *do* want to outlaw
    >non-escrowed encryption for domestic US traffic, and they *do* want to


Eric Verheul:
    > Who is they, governments as a whole? If you simplify discussions in this
    > way, I might as well say: "you guys only want to help criminals". I understand
    > your fears, but don't exaggerate.


 -- Peter Allan    peter.allan@aeat.co.uk