[6772] in cryptography@c2.net mail archive
Re: time dependant
daemon@ATHENA.MIT.EDU (John Denker)
Fri Mar 10 22:49:16 2000
Message-Id: <4.2.2.20000310220134.00c95f00@surfcity.research.att.com>
Date: Fri, 10 Mar 2000 22:19:02 -0500
To: John Kelsey <kelsey.j@ix.netcom.com>,
"Arnold G. Reinhold" <reinhold@world.std.com>,
"Steven M. Bellovin" <smb@research.att.com>,
"Matt Crawford" <crawdad@fnal.gov>
From: John Denker <jsd@research.att.com>
Cc: Cryptography <cryptography@c2.net>
In-Reply-To: <4.1.20000310193308.0094edf0@email.plnet.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 08:09 PM 3/10/00 -0600, John Kelsey wrote:
>But there's a related engineering question: Does
>it make sense to build large systems in which there's no way
>for humans to overrule the actions of programs once they're
>set in motion?
...
>To use a more common example, I believe there were some cars
>(maybe experimental, I don't know) which would simply refuse
>to start the ignition until all passengers had their
>seatbelts on. There's no doubt that it's possible to design
>such a car. But you couldn't sell them without making it
>illegal to buy any other car, and users would flock to
>mechanics to have the feature removed in droves, regardless
>of the law.
It seems unnecessarily extreme to focus on (a) large systems and (b)
draconian enforcement of rules with obvious bad side-effects.
Point (a) is that small-scale irrevocable decisions abound, and we've
learned to live with them. On my computer, I issue irrevocable commands
hundreds of times per day. A good example is sending email, even though it
might have been possible to design the system to permit
revocation. Encrypting a file using a public key to which I don't hold the
private key (and expunging the original) is another irrevocable act that I
commonly perform. Submitting a document to a cryptological time-lock
system is no worse than this.
Point (b) is that if a 100% effective time-lock system were devised, I
would not expect that people would be required to use it (in the sense
suggested by the seatbelt interlock scenario above). Anybody who wanted to
defeat such a draconian requirement could just keep a copy somewhere else.
