[FoRK] Re: identity-based encryption

Gordon Mohr gojomo at usa.net
Mon Feb 9 10:51:07 PST 2004

Meltsner, Kenneth wrote:
> Interesting stuff, although I suspect it's protected by patents (or
> patents pending).  The problem of identifying a given user to the key
> server is glossed over, and I'm not sure whether the typical encryption
> fan will appreciate the "inherent key escrow" provided by IBE.

I suspect the technique could be generalized so that the sender
uses public generators from multiple, unlikely-to-collude agencies,
combined with your email address, to get your public key. You'd
then have to consult with each of those agencies to construct
your composite private key... but then none of them effectively
has an escrow of your entire private key.

And, for a certain low-but-useful level of authentication as has
become popular -- "prove you're user at host.com by responding to an
email from us to that address" -- it's perfect. It lets that email
step, familiar to web users, bootstrap more encrypted/authenticated
communication with multiple remote parties, without them each
independently having to repeat the email-callback. They just let
one central service do it once per principal.

I can also imagine uses where your traditional, locally-generated
public key is the "identity string" combined with the generator
to create another more temporary key. Then, the fact that some chosen
third party -- the generator provider -- escrows this derived key
could be a feature, not a bug. They would have the ability to crack
open communications under certain well-advertised, agreed-to
circumstances: when a deal goes sour, or a certain time expires,
or a certain contingent event comes to pass.

So I think there's actually a lot of interesting applications
folded up in this technique that a quick assessment coudl overlook.
Time will tell.

- Gordon

More information about the FoRK mailing list