augmenting subkeys
2003-06-17 16:11:20
People were discussing the value of subkeys. I'm kind of a newcomer here,
and I'm not an implementor, so my opinion doesn't count for much. But I
think subkeys are cool. In fact, PGP could add features to support some
advanced uses of subkeys. A few arguments in favor of subkeys, and of
extending them in a couple ways:
An obvious use of subkeys is to keep the primary key in a more secure/less
convenient environment, and the subkeys in a less secure/more convenient
environment, but give them short validity periods to mitigate compromise.
Also, if PGP keys are used for things besides email (TLS, SSH, etc..), then
the user may want to use his key with multiple devices and applications
(laptops, desktops, PDAs, cellphones, etc.), so by getting his primary key
certified, or by giving someone his primary key fingerprint, he can then
certify subkeys in all these different devices. This is more convenient
that getting all his subkeys certified individually, and is more secure
than sharing the same key with all these devices, since transferring keys
is risky, using the same key with different protocols isn't a good idea,
and a compromise/revocation of one subkey won't affect the others.
PKIX is looking at a similar thing with "Proxy Certificates"[1]. So in a
sense, both PKIX and PGP are exploring a 2-tiered system, where the first
tier uses TTP certificates to convince Alice of Bob's "primary" key, and
the second tier is short-lived certificates that Bob issues from his
primary key to different devices, applications, and services, so he can
manage validity intervals, limit compromises, and keep the primary key in a
safer place.
This safer place might be a smartcard, a USB token, the user's main
computer, or even a network service. You could imagine some elaborate
things. For example, you might split your primary key into shares for use
with some "proactive threshold signature scheme" and store these shares in
different places around your home. Periodically you would bring the shares
together, "refresh them", so that an attacker would have to steal the
shares within a single period, and sign your subkeys.
Or you could bring the shares together (say once a week or month) and sign
a subkey possessed by an intermediary server. Then every day when your
fire up your email client, cellphone, etc., you could authenticate to the
server and get a sub-subkey with, say, an 8 hour lifetime. Maybe you could
even give your primary key shares to different online servers, which you
would choose to be independent so it's unlikely they would all be
compromised simultaneously. They would automatically contact each other
and refresh their shares once a week, and certify the intermediary's subkey.
Anyways, not that anyone should start designing protocols for this, or that
this should go in the next draft. But a few additions to the OpenPGP
format might allow someone to do these types of things, if they wanted to:
- a better way of binding a subkey to an application protocol, to
compartmentalize the damage from a compromise - so if your OpenPGP/TLS key
is compromised, the attacker couldn't turn around and use this key for
OpenPGP/SSH. Discussed a bit here [2].
- sub-subkeys (and sub-sub-subkeys, etc.). So you can have
"intermediaries" like above.
Just curious if people think that would be an interesting direction for PGP
to grow in..
Trevor
[1] http://www.ietf.org/internet-drafts/draft-ietf-pkix-proxy-06.txt
[2] http://www.imc.org/ietf-openpgp/mail-archive/msg05092.html
<Prev in Thread] |
Current Thread |
[Next in Thread> |
- augmenting subkeys,
Trevor Perrin <=
|
|
|