Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed

Daniel Kahn Gillmor <dkg(_at_)fifthhorseman(_dot_)net> wrote:
    > For secret key recovery, presumably the user has the OpenPGP certificate
    > ("transferable public key") available to them already, which contains
    > all the above information already.  I'd imagine that the recovery
    > process in the OpenPGP context would take the certificate and the
    > mnemonic, deriving all of the above fields from the certificate.

I think that this makes sense.
And it's already signed :-)

    > I'm not personally very convinced about this general approach -- it's
    > the equivalent of an unchangeable password that you've committed to
    > publicly (so anyone who thinks they have a good guess at your password
    > can verify it offline against your public key fingerprint).

That's a good point; however sometimes perfect is the enemy of good enough,
and that has been the case for encrypted email for a long time.

A recoverable key would be an option, not a requirement.

{An interesting (mathematical, density of primes) question would be whether
one would be able to determine from looking at the public key whether it was
recoverable or not.  That is, can one recognize some pattern in the expanded
DRBG. It might still be statistically secure, yet since the amount of entropy
in the key is less than the entropy in the input, it might leave a pattern}

--
Michael Richardson <mcr+IETF(_at_)sandelman(_dot_)ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp