ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Clarify status of subkeys with certification use

2018-05-25 15:01:37
from [Daniel Kahn Gillmor] [Permanent Link] 
On Fri 2018-05-25 11:59:44 +0200, Neal H. Walfield wrote:


Justus and I have been thinking about how to realize per-device keys
and approximate forward secrecy.  These two things are related: if we
want devices to do their own key rotation (and I think this is
sensible, as the alternative is to somehow regularly transfer secret
key material to each device), then the devices need to be able to
generate self-signatures.  Since we don't want all devices to have
access to the primary key, each device could have its own
certification subkey.


I've also been thinking about how to do forward secrecy, but i think
i've come to the opposite result as Neal and Justus here.

Per-device keys are bad for user privacy (they leak how many devices the
user has), and they either complicate any potential interface for
cryptographic identity verification (i now need to somehow both know and
understand the range of devices held by my peer), or they provide a
convenient mechanism for a wiretap capability (sneak in an extra
certification key for a user somehow).

you can still keep a primary certification-capable key offline (or on a
"master" client), while retaining the ability to revoke access to
certain clients -- you just need to revoke existing subkeys, and provide
all remaining good clients with the new subkeys, so i don't see
certification-capable subkeys as a win there either.

And i believe that sensible clients connected to a single account will
need a way to synchronize *other* state as well -- not just secret keys
-- so there's not much of a savings on the difficulty of state
synchronization here anyway.

Additionally (as i wrote elsewhere in this thread) i think they
represent pretty serious implementation complexity, which i don't think
is healthy for the ecosystem.

So i'm still on the side of trying to make more explicit the current
assumption that only primary keys hold certification capabilities.

           --dkg

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Clarify status of subkeys with certification use, Kristian Fiskerstrand
Next by Date:  Re: [openpgp] Clarify status of subkeys with certification use, Daniel Kahn Gillmor
Previous by Thread:  Re: [openpgp] Clarify status of subkeys with certification use, Kristian Fiskerstrand
Next by Thread:  Re: [openpgp] Clarify status of subkeys with certification use, Neal H. Walfield
Indexes:  [Date] [Thread] [Top] [All Lists]