Werner Koch wrote:
Having such a default subkey flag would inhibit automatic key
rollover. If we really want to specify handling of subkeys we should
first discuss Ian Brown's suggestions for PFS.
(and Adam Back and Ben Laurie's. They're at
http://www.cs.ucl.ac.uk/staff/I.Brown/draft-brown-pgp-pfs-03.txt, although
the draft has expired.)
Briefly, we suggested that for perfect forward secrecy, the subkey closest
to its expiration date should be used. This is because the owner can wipe
that subkey soonest, reducing the possibility that an attacker with a copy
of the message ciphertext will then be able to get the subkey required to
decrypt it.
The draft's progress has stalled as the IESG liked the idea and suggested we
go for standards track rather than informational publication; but I think
they are waiting from some positive response from the working group on that.
Do people think it's worth pursuing, either as informational or standards
track? John Noerenberg thought it might be useful to split the document into
a small standards track document defining the subkey flags we suggest (or
even incorporate that into the rfc2440-bis draft, although we're likely too
late for that now) along with a longer informational draft on using the
protocol features for PFS. But we weren't sure if this more convoluted route
was more useful.
Any thoughts?
Thanks,
Ian