ietf-openpgp
[Top] [All Lists]

Re: rfc2440bis-02 comments

2001-01-07 03:04:48
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 26 Dec 2000, Marc Horowitz wrote:

Len, exactly what problem is you proposal intended to solve?  You
said:

    One of the major complaints I hear about PGP key servers is the inability
    to delete keys once they are sent to the server. I'd like to request the
    addition of two new flags for subpacket 23:

Why do these people want to delete their keys?

- They lost the private key or forgot the passphrase.

This doesn't solve that problem. Randy Harmon is putting together some
methods for addressing this issue. However, it could related, as I will
explain.

- They don't want anybody to know they have a key.

This would aide in suppressing a key whose existence the owner didn't wish
to be public, however.

- The key is compromised.

  In this case, they should revoke it.

Agreed.

- I don't want my key on the keyservers at all.

  Your proposal solves this problem, but in my experience, this almost
  never happens.

I've encountered cases where this is an issue. I believe Dave Del Torto
has as well.

or is there another problem I've missed?

One case where I could see this being useful is in a network of privately
run key servers (perhaps in a large organization) that wishes to automate
its key server maintenance. Suppose they have a policy of deleting keys
attached to email addresses that are being deleted. Employee "Bob" leaves,
and the account bob(_at_)corp(_dot_)nil is deleted. A deletion certificate 
could be
issued and injected into the key server network. Synchronization would take
care of the deletes on all the servers that this key propagates to.

Now, yes, there is another issue here (that I regrettably forgot to
mention in my original message.) Currently the key-server prefs packet is
denoted as being a "self-signature only" feature. Key servers could have a
policy of permitting specified "admin keys" to make alterations to third
party keys using this packet.

This would also help the public key server admins. Currently, if I sent
you a request to delete my key, and you decided you'd be nice and do so,
what are the chances it would stay deleted? However, if the fact that it
is deleted is merged into the key material, the deletion becomes much more
sticky.

(And only key servers configured to honor your admin key would treat it as
deleted, so I don't see any potential for attack here.)

Those are my reasons in a nutshell. This doesn't solve a lot of the
problems, but it addresses some of them, and it hurts nothing.


__

L. Sassaman

Security Architect             |  "The world's gone crazy,
Technology Consultant          |   and it makes no sense..."
                               |
http://sion.quickie.net        |                   --Sting





-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.

iD8DBQE6WEBRPYrxsgmsCmoRAoOnAJ4/xrI8lP/wJZmtsE+d1FgqL5qLJgCeJynG
AKXvyOjETEaZ5olgo6Swaj8=
=I9QV
-----END PGP SIGNATURE-----


<Prev in Thread] Current Thread [Next in Thread>