PGP now has support for separate signing and encryption keys. The
signing key is the "top level key", and the encryption key is what we
refer to as a "subkey" which is bundled with the top level key.
One purpose of this is to allow more frequent changing of encryption keys.
In the past, changing keys was difficult because signatures on your
old key would not carry over to your knew one, so you needed to acquire
all new signatures on your new key. With the subkey model, third-party
signatures bind userids only to the top level key, not to the subkey.
The top level key then issues a signature on the subkey saying "this is
the encryption key to use to encrypt to me." The third-party signatures
then implicitly validate the subkey as well as the top level key.
When it is time to retire a subkey and create a new one, the top level key
need only issue a revocation signature on the subkey, generate a new one,
and issue the special signature on it. The new subkey is immediately
fully validated, and all of the signatures on the top level key, which
hasn't changed, carry over to it.
This should facilitate more frequent changeover of encryption keys as Adam
Back describes, which can be good security practice. It is a significant
improvement provided by the new key structures of PGP 5.
Adam wrote:
This argues that if people are to insist on using the enforced second
recipient model for corporate snooping at all, they should for
security reasons be at least using short lived communications keys for
the GAK compliancy packet also.
That sounds reasonable, at least if the first recipient is also using
short lived keys. Presumably these kinds of policies would be established
by the corporate security office. But certainly if one class of keys
uses short lived keys then it would be logical for the other class to
do so as well.
The second-recipient feature supports this kind of frequent changeover
using the mechanism I described above. The corporate access key can
have its encryption subkey replaced, and the new one will be used by
encryption software. No change to user keys is necessary for the new
corporate encryption key to be used as the second recipient. All that
has to happen is to distribute the new encryption subkey.
Actually it's likely that the corporation will change its shared access
keys more frequently than user keys, at least if they are using an
access model where there are relatively few shared keys. It will be
easier to change a few keys which are controlled by corporate officers
than to get every one of 10000 employees to generate a new key every week.
Hal Finney
hal(_at_)pgp(_dot_)com
hal(_at_)rain(_dot_)org