ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Clarify status of subkeys with certification use

2018-05-25 10:17:46
from [Kristian Fiskerstrand] [Permanent Link] 
On 05/25/2018 11:59 AM, Neal H. Walfield wrote:

Hi Kristian,


Hi Neal and Justus,



Justus and I have been thinking about how to realize per-device keys
and approximate forward secrecy.  These two things are related: if we
want devices to do their own key rotation (and I think this is
sensible, as the alternative is to somehow regularly transfer secret
key material to each device), then the devices need to be able to
generate self-signatures.  Since we don't want all devices to have
access to the primary key, each device could have its own
certification subkey.


Wouldn't you anyways break the per-device nature if using this
certification subkey to sign a third party keyblock, and the loss of one
of the devices impacted your validity calculation across the ecosystem?

Using this in such a per-device nature also seems to require rather
special attention from the user/client, I could easily imagine ending up
with a web of cross-signatures across multiple devices here.

On 05/25/2018 11:59 AM, Neal H. Walfield wrote:

Consequently, please do not remove certification subkeys from RFC
4880bis.  If anything, I would prefer that RFC 4880bis clarifies that
certification subkeys should be supported.


if we are removing it and not just making the current state more precise :)

In any case; I'm not sure if this is a use-case I favor much personally,
but it is an interesting concept so thanks for bringing it up for
discussion.

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"Statistics are like a bikini. What they reveal is suggestive, but what
they conceal is vital."
(Aaron Levenstein)

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Clarify status of subkeys with certification use, Leo Gaspard
Next by Date:  Re: [openpgp] Clarify status of subkeys with certification use, Kristian Fiskerstrand
Previous by Thread:  Re: [openpgp] Clarify status of subkeys with certification use, Neal H. Walfield
Next by Thread:  Re: [openpgp] Clarify status of subkeys with certification use, Daniel Kahn Gillmor
Indexes:  [Date] [Thread] [Top] [All Lists]