GCHQ's CESG team's crypto proposal isn't dumb, it's malicious... and I didn't notice

A Reg writer's mea culpa

Comment Hang on: you want to use a phone number as an identity certificate?

Forgive me, everybody, for not realising the obvious – and for not realising why GCHQ's information security arm CESG's pet proposal RFC 6509 hasn't progressed.

The reason is simple: it's a damn stupid idea.

Here's the relevant quote: ”a user’s identity is their public key. Simply knowing a user’s phone number is enough to establish a secure communications link with them.

And here's why it's spectacularly stupid: a telephone number is not an identity of a person. It's an identity of a thing – a particular spot on a wiring harness in a telephone exchange that a bit of software associates with a number of a handset that can be used by anyone in the same place; or of a physical mobile phone (assuming that nobody's tricked it into presenting someone else's number); or of a SIP account that's completely disassociated from any physical artefact whatever.

The one thing that a phone number does not do is identify a person.

Of course, the same can be said of an IP address, that most-prized artefact that's apparently worth so much, anencephalic legislators listen to spooks who ghost-write their legislation and will die in a ditch to get their hands on meaningless identifiers.

Ahem. Perhaps I ranted for a moment, forgive me.

It's easy, when you're reading the stilted prose of a spooks' specification on one hand and the even-more-stilted prose of an IETF document on the other, to look for mice and overlook elephants.

A telephone number does not identify a human.

Having said that, motivation casts its shadow: why on Earth would someone conceive of such stupidity and devote time and thousands of words to propose that it should be a standard?

If RFC 6509 is how spooks think, it sheds some light on the witlessness of data-retention legislation in the UK, which by dint of special effort managed to be more moronsome than the data-retention legislation that passed Australia's parliament this year.

Regardless of their technical expertise – and to be fair, the RFC reveals considerable technical expertise – the spies of the world can't shake the mindset of 30 years ago, when all they needed to do was drop crocodile-clips on wires and take photographs.

Even when they know better, they remain devoted to systems, processes and thinking that's been obsolete since Kim Philby was still alive, but they can't let go.

The phone number is the person; the IP address is the person; and both assumptions are utter folly, but are relentlessly peddled by the spooks to the politicians.

As a result, successive anencephalic attorneys-general in Australia and the UK's Home Secretary Theresa May have enacted legislation of such egregious idiocy it could have been drafted by a junior in the White Fish Authority.

As far as I can tell, RFC 6509 has suffered that most ignominious fate that can befall a request for comment: nobody commented.

Of course nobody commented. You don't, as an Australian cricketer once observed, “urinate on statues”. GCHQ begat CESG, both are potential customers, both have spies at their command, and nobody's going to write, in public, the kind of thing that Linus Torvalds would write about bad code.

As an acute commenter noted before my brain kicked into gear, there's also this: stupidity is compounded by mendacity. If the phone number is the authenticator, impersonation is utter cake. Anyone who knows my phone number can authenticate as me, and MITM is trivial.

Three out of ten, CESG, must try harder. And three out of ten, myself, for getting bogged down trimming the toenails of the elephant standing on my foot. ®

Biting the hand that feeds IT © 1998–2021