Thanks for the comments :)
-this document seems to be focused on the use of openpgp for mail in
particular. is there anything to be said for other uses? (e.g.
openpgp key usage in ssh)
I have included a new paragraph on the use ofOpenPGP keys with
network/transport layer security services:
Where OpenPGP keys are used in protocols such as IPSEC [2] or TLS
[9], they SHOULD NOT be used to encrypt keying material that can
later be decrypted if they are compromised. Ideally, they SHOULD be
used only to authenticate a forward-secret key negotiation
protocol such as Diffie-Hellman [3]. At the least, new short-
lifetime key pairs SHOULD be generated for key encryption use.
Sound sensible?
i think whether the key distribution should happen automatically
should be a matter of policy. some of us have keypairs of which the
public portion is not really made widely public, nor do we want it to
be made so. perhaps such relevant policy can be expressed in the key
and implementations could interpret it appropriately.
I have changed the paragraph as follows:
Key distribution can be eased by submitting new keys to key
servers, where they will be available for other users to retrieve.
Submission and retrieval of generally-available public keys (those
self-signed with an exportable signature) SHOULD be performed
automatically by software. Expired public encryption keys MUST be
deleted by users and keyservers to remove information on old key
pairs. Expired private encryption keys MUST be securely deleted to
prevent later compromise.
-how about some "secure deletion" references in the references section?
I have something by Markus Jakobsson that can go in: we could also mention the
relevant DoD requirements.
The "revoke and redistribute" requirement on surrendered keys is tricky: as
you say, what happens if the client can't contact a keyserver? I suppose the
weak answer is that as more and more people get always-on DSL/cable modem
connections, and any one of the keyservers can be contacted, this shouldn't
happen often (as long as the police don't catch on). But I suppose we could
say something like if keyservers are unavailable, the client may queue the
revocation for later distribution then export the key.
also, which takes precedence, the deletion of expired keys from
keyservers or the distribution of revoked keys? is this also a matter
of policy that could be reflected in the key?
We were thinking of revoked and expired keys as separate categories.
Keyservers certainly shouldn't delete revoked keys *until their expiry date is
reached* -- at which point they shouldn't be used anyway.
Ian :)