Hi Neal--
On Wed 2015-07-15 16:21:52 +0200, Neal H. Walfield wrote:
OpenPGP has support for local signatures. It would be nice to have
something similar for keys as well. The motivation for this feature
is: some people have keys that they don't want to have widely
distributed and training others to respect this is very difficult.
Concretely, it should be possible to mark a key as not exportable to a
keyserver or to provide a list of key servers (perhaps described using
regular expressions as per Section 8 of RFC 4880) to which it may be
exported.
This could be implemented as a new signature subpacket.
When the key is exported (e.g., using gpg2 --export KEYID), a
warning should be issued that the key is not intended for public
distribution.
I like this idea, though i'm not sure how useful it is as currently
proposed.
You could craft an OpenPGP certificate with all its self-sigs marked
non-exportable, and that should have roughly the same effect for other
users of GnuPG. You'd have to use --import-options import-local to
import it at all, or else it would have no valid self-sigs, which GnuPG
should reject as a poorly-formed certificate.
However, this arrangement (or your signature subpacket proposal) has a
set of problems that make it far from ideal protection, especially in
the face of potentially adversarial users:
0) Any existing key (one with a self-sig that does *not* have this
feature set) can't add this feature in a reliable way -- a new
self-sig can just be stripped out of the certificate and the
remaining certificate (with the previous self-sig) will be back to
being "exportable".
1) The keyservers would need to respect the value and decline to accept
or propagate such keys. SKS currently doesn't even respect the
non-exportable flag for non-self-sigs
(https://bitbucket.org/skskeyserver/sks-keyserver/pull-request/20),
let alone verify the cryptographic validity of signatures.
2) GnuPG doesn't currently let you make non-exportable self-sigs, as
far as i can tell (i just tested 2.1.6 with gpg2 --expert --lsign;
maybe this is a bug in gpg, though)
3) anyone can just post the key publicly in a non-keyserver way
(e.g. to the web) if they really want to do so.
So the question is whether having this as an advisory mechanism (not a
perfect bulwark against adversarial publication) is worthwhile. If it
is worthwhole, would this interpretation of non-exportable self-sigs be
a sufficient mechanism?
This is certainly something worth considering clarifying in rfc4880,
whether it's introduced as a separate subpacket, or a clearer
recommendation of how to treat non-exportable subpackets in a self-sig.
--dkg
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp