Why Can’t We Have Pretty Things?

I was reading [Al Williams]’ great rant on why sometimes the public adoption of tech moves so slowly, as exemplified by the Japanese Minister of Tech requesting the end of submissions to the government on floppy diskettes. In 2022!

Along the way, [Al] points out that we still trust ballpoint-pen-on-paper signatures more than digital ones. Imagine going to a bank and being able to open an account with your authentication token! It would be tons more secure, verifiable, and easier to store. It makes sense in every way. Except, unless you’ve needed one for work, you probably don’t have a Fido2 (or whatever) token, do you?

Same goes for signed, or encrypted, e-mail. If you’re a big cryptography geek, you probably have a GPG key. You might even have a mail reader that supports it. But try requesting an encrypted message from a normal person. Or ask them to verify a signature.

Honestly, signing and encrypting are essentially both solved problems, from a technical standpoint, and for a long time. But somehow, from a societal point of view, we’re not even close yet. Public key encryption dates back to the late 1970’s, and 3.5” diskettes are at least a decade younger. Diskettes are now obsolete, but I still can’t sign a legal document with my GPG key. What gives?

70 thoughts on “Why Can’t We Have Pretty Things?

  1. Mostly ? Bad designs, and also the shortsight of not allowing fallback options. Like fingerprints are a very convenient and secure option, sure. But if the bank ATMs / system allow only that, what are the people with missing fingers or those who, due to age or profession or whatever have very light or non existant fingerprints ? Around here a lot of people would need to queue up to a sole machine in the bank that would accept entering the PIN through the keyboard. And that machine wouldn´t be always working, or would run out of money.

    1. Once the fingerprint leaves the sensor, it’s a digital value – that gets compared to another, stored, value. What if that value is compromised?
      What if you are a victim of identity theft?
      You can change your signature. How do you change your fingerprint?

      1. I’m in construction. That means scrapes, bruises, handling things with sharp edges.

        I need to update my phone’s fingerprint reader about every 4-6 months otherwise it locks me out. I have 4 different fingers set up to work the sensor, same problem across all of them.

        Fingerprints aren’t as reliable as everyone makes them out to be

  2. Trust.
    Do they believe it is really me, or a counterfeit?
    Do I believe they will only use my income, identification, information for the purposes I intend?

  3. “Along the way, [Al] points out that we still trust ballpoint-pen-on-paper signatures more than digital ones. ”

    Well writing leaves it’s mark (no pun intended). The forensics of writing leaves more clues than a digital signature. And where the writer can be observed, there’s more clues.

    1. The forensics behind hand signatures are borderline bogus. Sure, there are a lot of factors to take into account, but I never had the exact same hand signature in the last two decades. Because I am human. My digital signature on the other hand… Only I can produce is.
      And verifying a hand signature? Go to court, book a forensic team, wait for the whole procedure (and pay for it). Verifying a digital signature? You don’t have to, most applications do it without asking, in a mere second. (Not to mention verifying hundreds of signatures automatically). I totally agree with the author.

      1. Your digital signature only you can reproduce, until someone else can, and then they can do it perfectly, and there’s basically nothing you can do to argue it wasn’t you. Pen signatures have degrees of confidence, which can be good at some times.

  4. It was never an encryption and signing problem with PGP; it was about establishing trust.
    Establishing trust was the thing that was never really figured out. Yes we had public PGP servers for keys, but how do you establish trust with those keys?
    Compare that to the situation we are now in with SSL certificates and the certificate transparency logs. The problem with PGP was that it wasn’t far off the situation where all websites just have self-signed certificates.
    While there was an industry built up to deal with trust for SSL certificates due to businesses making websites, the same isn’t really true for individuals using PGP.
    Add on top of that TLS getting rolled out for delivering email, and then DMARC, etc, the encryption and spoofing problems became less of an issue.

    1. Exactly this. Key management is the unsolved problem. Should there be a key escrow? How do you prevent corruption (i.e., illicit key issuance/revokation)? How do you handle loss of keys?

      None of these are technical problems, and so there aren’t technical solutions.

        1. Quantum solves a couple of the tangential issues around transporting bits around securely, but it really doesn’t do anything for the two fundamental core factors, identity and trust, or as we tend to know them in the tech world, authentication and authorization.

      1. Ok, so I started writing, but I came the ultimate conclusion that the *REAL* problem with this is government corruption. Let me explain.
        Key management can be managed by state governments, through the DMV as drivers licenses and state ID’s are already handled here. We just have to agree to foot the cost of the massive databases, and certificate revocation lists. It will be nightmarish, and costly, but we already authenticate people’s IDs here, so it makes sense to use this as our PKI.

        This is where the problem comes in. All levels of government are plagued by corruption. Usually in forms of “my spouse is my campain manager and is “worth” a 10 figure salary because I keep winning my elections”, or “I gave my campaign a 10,000% interest loan because I am such a stand-up guy”. Regardless of the mechanism used, politicians have found loopholes to get campaign donations into their own bank accounts in ways that do no violate current corruption laws.

        So what does this mean for PKI? Some no name company which donates huge amounts to a campaign will be the ludicrously lowest bidder, but will still get the contract. This lowest bidder will have no clue how cryptography works, and will first use CRijndael from the code project, thinking they’re “using crypto” to authenticate. Someone will eventually read the requirements and find out asymmetric encryption is what’s needed. They’ll roll their own library for it. It will appear to work, and they’ll roll it out. The algorithm will have been weakened, but that won’t even matter because they will have decided to store the private keys in a SQL database exposed to the public on a website with a trivial SQL injection attack. The public lose faith in cryptography, and the whole thing will be shelved for another 20+ years.

        The reality is, there is no technical problem here. The first hurtle is public opinion, being willing to pay for a system like this, and it won’t be cheap (but not expensive compared to other spending). The second problem is the corruption, preventing the best companies from implementing it. Imagine if we could get Bruce Schneir to be the one implementing it! It would be perfect! Do we really think his company would be able to get any government contract in the current acquisition system? If you said yes, I have a bridge to sell you.

  5. “Along the way, [Al] points out that we still trust ballpoint-pen-on-paper signatures more than digital ones. Imagine going to a bank and being able to open an account with your authentication token!”

    Yeah, no. It’s already way, way too easy to open bank accounts. Allowing for pure digital identification in banking would just made identity theft way too easy, because as soon as you say “you just need this digital thing” it becomes “you don’t even have to physically go someplace” which means the number of attackers grows to the entire planet, including places where the laws suck.

    After all, there’s a simple point here: if you’re saying authentication tokens are good, great! Let’s use them *in addition* to signatures. Proving you’re you shouldn’t be easy. It should be hard.

        1. Proving you’re you should be VERY hard. Confirming you’re still you should be EVEN HARDER, or perhaps outright IMPOSSIBLE. Tried and true.

          Some banks have done this, it saves people’s identity for the most part.

    1. Um, you already can open bank accounts without being there. In fact there are many online only banks.

      Other than for the government to spy on you, a bank shouldn’t need to identify you. You get an account and a key, anyone should be able to deposit, and you need the key to withdraw. No reason identity needs to come in to the picture at all.

      1. Yeah, except for the whole “money laundering and credit agency” thing. There’s a whole identity theft industry out there right now where false accounts are opened so that money can be laundered out of country without being traceable to the actual people involved.

        Plus bank accounts can then be used *as* proof of identity. Which is a separate issue.

        So yeah, no. The online bank account thing is a complete freaking disaster.

        1. I use my bank account as proof of identity at least 2 or 3 times per week, which works via an iphone app using my thumbprint. It works great, but if I ever lose my phone, or thumb, I’m screwed.

          How’s about a variety of biometrics (face, fingerprints, retina scan, whatever) stored with someone trusted, and then proving ID is based on that? Like I don’t /have/ to take an ID card or passport to go pick up a package or travel or open a bank account, I can just use whatever biometric machine they have there. ? And then online it’d work the same way, with my computer or phone fingerprint reader/camera/retina scanner/instant dna tester/whatever…

      1. “I can already open an online bank account and not have to physically be anywhere.”

        Yes, exactly, and that’s why the vast majority of identity theft and fraud cases go unsolved and unaddressed.

  6. Most likely standardization and accessibility. I grew up in a rural area that used dial-up until the late ’00s and “high speed internet” reaching gigabit speeds today is still just a dream. But in a world where banking demands standardization for regulation, trying to get a logger (read lumberjack, no one actually calls them lumberjacks) to understand and trust encryption would be like trying to teach a whale how to direct sea traffic. In theory it would make a lot of lives easier and could *technically* be done with a lot of training, but who would go through the effort? And the attitude of whales is MUCH more congenial than loggers…

  7. Because the person who creates the software is a different person than the one who uses it.

    To put it another way, it’s easier by far to understand one’s own needs, than it is another’s. And the skill set required to gain that understanding is vastly different than the one to, in this case, create software. But it’s a universal pattern.

    A better listener is a better creator. But this is not the nature of most people to want to be both. So the incentives have to be aligned for that person to want to be both things to any appreciable degree of mastery. That is rarely the case, so here we are.

  8. With a physical signature it is your cerebellum that is the keystore, and it is impossible to forge perfectly. Sure people can try to copy your signature style, but how many fakes stand up to forensic inspection? The problem is that we need a system that has the strengths of both methods, instantly verifiable an impossible to forge, yet linked directly to that which makes you a unique individual in the first place, your brain configuration. Neurobiometrics is the answer.

  9. I gotta be that total bummer as usual and state that there will be unexpected and unintended consequences. Efficiency cult always ends up dredging up some things from deep under sociality and culture that is invariably scoffed at, called unnecessary and outdated, and tossed aside. Then very strange and creepy things start happening.

  10. Alas we live in a time where any universally used technology is used against us.
    So for that reason you should not wish what you state you wish Elliot.

    It is a sad state of affairs but I see no way to change it, and too many who do not even wish for a change to this situation, and many who are in fact encouraging it.

    1. Others have already mentioned PGP here but failed to mention what a dumpster fire that product/standard really is. The format is byzantine in its complexity and dark corners. Based upon what I have read from other security researchers have written, both the protocol itself as well as implementations such as GNU PGP are more closely related to sponges for all of the holes in them. As I consider the issue, I would dare say that this one protocol and product has blocked secure implementations of signing and verification more than any other factor.

      The JWT standard already has features which allow the token payload to be signed using a private key and to be verified by a public key that can be served from a secure HTTPS server. Such a server could be self hosted or can be hosted by a company or organisation that can associate these public keys with user identity.

      The fact of the matter is that we already have decent tools available to perform this function and robust standards and implementations to support them. What we lack is a means of standardising on the suite of tools and protocols upon which applications can be built or modified to integrate document signing in a secure way. What we lack the most is the drive to start implementing these standards widely in applications so as to make them generally available to all users and not just those who are obsessed enough to deal with mess that PGP truly is.

  11. Ever heard of the BBC Domesday Project?

    Circa 1986, written in BCPL for the Acorn microcomputer and written to laser disc. By Y2K finding hardware capable of reading the data was an exercise in hardware archaeology. Useful lifespan: less than 15 years.

    Ever heard of the Domesday Book?

    Circa 1086, written on sheepskin. Still readable and on display at the National Archives at Kew. Useful lifespan: 936 years and counting.

    When someone can present a digital technology where 99% of the stored information remains available and usable after 50 years, we’ll talk.

  12. In Australia I am buying a house. I digitally signed the contract with a vendor and real estate agent I’ve never met, and transferred $100,000 to their trust account. My conveyancer will coordinate the balance with our mortgage lender. Interestingly, I did have to wet ink sign the mortgage contract, even though I have had a loan with them for 15 years.
    So the future is a little unevenly distributed.

  13. > Diskettes are now obsolete, but I still can’t sign a legal document with my GPG key. What gives?

    GPG signature is proof of holding a key, not proof of identity. Signing your name on a legal document with witnesses and likely in view of pervasive surveillance carries a lot more security than you seem to think.

  14. > Imagine going to a bank and being able to open an account with your authentication token!

    Apart from the whole “going to a bank” analogy, which I haven’t done since 2007:

    How does the bank know it is my token? That requires a whole additional infrastructure, usually a government PKI, which we e.g. have in Germany. Every German national ID card can generate cryptographical signatures that can be validated.

    Are all this additional infrastructure and the hassles it comes with (additional devices, always-online infrastructure, an additional step in the process, precautions for loss of token etc.) worth it? That depends on what you’re trying to achieve. Literally tens of billions of contracts are made every day. Not enough of them fail through to require the strongest and most expensive form of identification. That’s why absolutely nobody uses the ID card signatures in Germany.

    Just because you are pissed you weren’t able to do something online as quick as you thought or still have to carry an actual wallet with actual money, doesn’t mean everybody else has to enter the world of pain modern ID and payment technology has become. I would gladly disable 2FA on most things, including my credit card, if I was allowed to. I don’t consider any lf this “pretty”.

    1. The banks love to tell you the security if for “your safety” when actually it is for theirs.
      but here they still lose millions to card fraud, chip and pin fraud and of course contactless fraud, but much like the Ford Pinto, it’s cheaper to cover the losses than it is to admit the system is secure. Millions of transactions are legit, and comparatively a handful are fraud. When the bank fails at blaming the customer for the payment – which is their default go to because their system is secure and “we are bank”, right? – they quietly drop it and take it on the chin.

      So you want to to trust these people with “infallible” digital ID and signing things?
      Up to the point some “lowest possible bidder” contract IT worker on a 20hr shift accidentally presses the wrong link and associates my ID with someone else’s and the computer is ALWAYS right.
      No thanks.

      I keep a grand in cash in my home safe because of the last time the bank accidentally turned off all my cards for 3 days.

  15. I think you probably have a bit too a low an opinion of your local crowd and it might be colored by some very specific incidents that were close to home but which are now projected too expansively.

    I mean if you can operate a damn chainsaw without killing yourself for starters you should be able to handle some basic stuff surely.

  16. If i think today’s code quality… bugs everywhere, security issues… i’m not wondering.
    Programmers in the 70’s have wrote UNIX’s and OS/3** ‘s in a fraction of RAM which worked reliably. Now we have tons of features, but no trust, no security, no compatibility, etc.

  17. Hol’ up. I see a lot of arguments stating how a unique signature by pen has some inherent value, but I don’t see it. The main reason is No one looks at it. On most paperwork you sign, someone takes it,says ‘thank you’, and never looks at it. This is true for checks and even legal documents. At some value of transaction a notary public may ask to see ID and stamp the document, but that’s less common. No one is comparing your signature to some database of signatures. A token would at least be verified and could be inactivated immediately upon fraud suspicion. With a signature all you can really say is “Well, if this guy isn’t who he says he is, he’s certainly going to a lot of trouble to make a mark with a pen”

    1. I know a man named Tom Clancy.
      He is not a famous author.
      On occasion he will sign a book written by the famous author and give it to a friend.
      Future book collectors will have fun with those.

  18. “Along the way, [Al] points out that we still trust ballpoint-pen-on-paper signatures more than digital ones. Imagine going to a bank and being able to open an account with your authentication token! It would be tons more secure, verifiable, and easier to store. It makes sense in every way. Except, unless you’ve needed one for work, you probably don’t have a Fido2 (or whatever) token, do you?”

    Eh if you can forge my handwriting, I will give u a prison sentence

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.