I came across an interesting petition on UDAI for a safer Internet:
Your thoughts and comments are sought:
https://www.linkedin.com/pulse/petition-1-4-executives-asked-build-worldwide-key-m-/
Does it have merit?
Regards
Caute_cautim
I'm thinking the author would be well served by reading up on asymmetric encryption, PKI and TPM. There seem to be knowledge gaps regarding the current state-of-the-art.
Frankly, I gave up reading after just a few paragraphs. I am always suspicious when I see "central authority" or "symmetric encryption". Neither of these are a solid foundation for confidentiality or integrity. Proposing either does not encourage me to read further.
@denbestenI will have a deeper look, today and report back? Perhaps the source had best explain how her approach is better than others?
Regards
Caute_cautim
@Caute_cautim wrote:I came across an interesting petition on UDAI for a safer Internet:
Your thoughts and comments are sought:
https://www.linkedin.com/pulse/petition-1-4-executives-asked-build-worldwide-key-m-/
Does it have merit?
John,
The simple answer to your fundamental question is no, it does not have merit. My initial impression is tha tthe author has suffered from a few holes in her logic, missing knowledge of the technology, and unstated, embedded assumptions that the author may not be aware of.
I agree with William @denbesten that a an initial cursory reading leads me to conclude it is not worth trudging through the set of nine articles. However, in trying to provide coherent comments, I jumped to the last article in the set of nine, and read the following introduction:
"This initiative was previously published as a pro bono petition, in this other LinkedIn document: https://lnkd.in/edkn82K. A few peers kindly informed me that the original version was a bit too technical, especially for executives. This new version is meant to be a bit less "dry", and more "executive-friendly"."
I will read that version and then check other articles in the series as I develop comments to test, and possibly support, my initial conclusion on the idea. More to come.
Craig
@CraginSI commenced a dialogue with the Lady involved in the original UDAI idea on LinkedIn. Her main beef was the issue with RSA encryption, so she thought symmetric encryption was one method of overcoming the issues. However, I don't think she has really has thought through the ramifications and implications and environments that are likely to manifest themselves. Perhaps she should be thinking more along the lines of the express course offered by ISC2 in terms of IoT connectivity, communications, and wider implications and usage.
The other thing is as you and others have pointed out traditional PKI systems and cryptographic systems, may potentially have a lifespan of 5 years or more left - due to Quantum Cryptography coming on line. I have suggested to her, that along the lines of CCPA and SB-327 that a lot of the responsibility should be placed on the shoulders of the original manufacturers themselves.
Regards
Caute_cautim
@Caute_cautim wrote:@CraginSI commenced a dialogue with the Lady involved in the original UDAI idea on LinkedIn. Her main beef was the issue with RSA encryption, so she thought symmetric encryption was one method of overcoming the issues. ...
John,
I suspect she has no appreciation for what it takes to distribute secret symmetrical keys, maintaining full protection for each copy, or the fallacy of trusting so many disparate commercial companies to be void of malicious insiders.
Key management for Secret Keys by NSA for legacy crypto equipment in the USA is a tremendously costly and complex process.
Craig
@CraginSI agree, I used to work in a Comcen and overseas with such legacy crypto systems, in the days of HF radio, these days it is handled by Message Handling Systems.
Regards
Caute_cautim
@CraginS wrote:I suspect she has no appreciation for what it takes to distribute secret symmetrical keys, maintaining full protection for each copy,...
@Caute_cautim, perhaps an example would help the author... The Enigma machine is perhaps the best-known example of symmetric encryption. Even 80 years ago they knew the secret keys needed to be protected and frequently rotated. History shows its weakness was theft and brute force against the secret keys.
Beyond selection of encryption mechanism, Unique and permanent identifiers could easily be considered PII. Therefore, one also needs to examine how UDAI would interact with privacy laws, such as GDPR and CCPA. Also note that some manufacturers actively limit the use of permanent identification.