[Endymail] Parts of the problem - managing private keys
Phillip Hallam-Baker <phill@hallambaker.com> Tue, 02 September 2014 19:31 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: endymail@ietfa.amsl.com
Delivered-To: endymail@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id EB2F71A068A
for <endymail@ietfa.amsl.com>; Tue, 2 Sep 2014 12:31:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.422
X-Spam-Level: *
X-Spam-Status: No, score=1.422 tagged_above=-999 required=5
tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001]
autolearn=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id RN4onjzfIrdX for <endymail@ietfa.amsl.com>;
Tue, 2 Sep 2014 12:31:56 -0700 (PDT)
Received: from mail-la0-x22d.google.com (mail-la0-x22d.google.com
[IPv6:2a00:1450:4010:c03::22d])
(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 569B41A0680
for <endymail@ietf.org>; Tue, 2 Sep 2014 12:31:56 -0700 (PDT)
Received: by mail-la0-f45.google.com with SMTP id pn19so8465589lab.32
for <endymail@ietf.org>; Tue, 02 Sep 2014 12:31:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:sender:date:message-id:subject:from:to:content-type;
bh=al5vsxuTKC83k+bp2hGKCVPE2eK98BG74CePBnrZvqw=;
b=YAisva/e0EDEtzdls/oD0rjnww0ThXe2H8X4Mf0UOifOzQmtFXQ25q2zWibP7DmN9r
FVKwmz0iKnpE41MeigP79injkeUK4qXbP+4cl6/cNs1ljY/+zu9cKTe7sFF72ntqgb8h
A9cEUQt/eNMMYbZ7kHjZ3jNaLFeoJJW8AUUne5pbSvmFu8aJAYnTkS9sJ+gitjCii2o6
I7li+8HlAmefENaDVAT5vYz//HCc1IuNgiov4YEduOdD00XQt4ZqNJm/9PiS/ntnp81t
UDj7iXWrNJTbYh4e4S12JHsdLCaivJG2xmamCRWWMzoy6vLiaRx0ffoAnmireICKS/2r
Hing==
MIME-Version: 1.0
X-Received: by 10.152.26.202 with SMTP id n10mr16051404lag.4.1409686314356;
Tue, 02 Sep 2014 12:31:54 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.122.50 with HTTP; Tue, 2 Sep 2014 12:31:54 -0700 (PDT)
Date: Tue, 2 Sep 2014 15:31:54 -0400
X-Google-Sender-Auth: xbktA76eD9zAPUr0Nk4FhjzX1LA
Message-ID: <CAMm+LwhdE3XaPLSUNy9A_iyJTsHKe8n=VJU0k_Pb+UKcR5hEuw@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: endymail <endymail@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/endymail/F3e3E2-b_MWEfq4nlHtDMkd8AXM
Subject: [Endymail] Parts of the problem - managing private keys
X-BeenThere: endymail@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <endymail.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/endymail>,
<mailto:endymail-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/endymail/>
List-Post: <mailto:endymail@ietf.org>
List-Help: <mailto:endymail-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/endymail>,
<mailto:endymail-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Sep 2014 19:31:58 -0000
Lets drill down on some of the parts of the problem that are not 'trust'. One of the biggest problems for end users is managing private keys. And quite often this problem gets exported back into the 'trust' area by deciding the answer to 'what happens if the user forgets a passphrase' be 'let them reboot their trust network from scratch'. I like the concept of using a fingerprint of a public key as the lynch-pin for the trust infrastructure. Every trust infrastructure proposed to date can deliver a key fingerprint as output. They are short and convenient. What I don't like is having to work out mechanisms for rebooting the trust network in the case that a passphrase is forgotten or the like. So I want to give the end user the tools that allow them to make that as infrequent as possible. I want it to be possible for a user to keep their master public key life long. Email isn't the only thing that we are going to hang off this infrastructure. Lets imagine our user decides to take nude pictures of themselves and store them in the cloud. If they are sensible, they likely want to have some form of encryption in place. When I looked at the set of requirements that result, they look pretty much the same as the requirements for running an embedded root key for a CA because, well that is what we are doing. We are giving the end user a personal PKI hierarchy with themselves at the root of trust. So this is the current hierarchy I give people. [NB please just assume I don't do anything stupid here as this is an abbreviated version] Master key - self signed cert valid 30 years Sub key - cert signed by master, valid 10 years Use keys (Minimum) all signed by sub key * Common encryption key valid 3 months * Per device signature key valid 5 years for use in authentication * Per device encryption key for use in distributing keys. Now this might seem to be a lot of keys but it isn't a problem because the user does not need to be aware of this complexity. As far as they are concerned they just have one key. Separating the concerns like this solves a lot of problems. I don't worry too much about revocation because we can deal with that by rotating the encryption keys. Just stop giving the device new decryption keys if it is lost. I make no assumptions about how the keys are stored on the machine. I do not approve of mandatory passphrases. If people really have secrets so important they worry if they lose their device then they will use the locking function on their device. The only key I escrow right now is the master key. And that is encrypted under a session key which is then split in two. Right now we are just using 2 way XOR splitting and BASE-32 encoding. But QR codes would be better. I am currently working on the code for an escrow scheme where the encrypted private key would be stored on a service which will only release it to someone who can provide proof they know the decryption key. This eliminates the need to depend on the user not loosing their encrypted key blob. Moving keys from one device to another is just a matter of sending each device a message with the new decryption key encrypted under their per device encryption key. What I have not yet really looked into is how we escrow the encryption keys for messages. I was thinking we would have a master decryption key and escrow that. But I can imagine people wanting to have multiple keys for different email accounts with different policies attached. So for example if you are a journalist you might well want to not use escrow at all. There are also concerns for what happens when you die. So for example you might want your heirs to know where you buried aunt Miranda's jewelry and give then the info on how to retrieve that key. But you would likely want to take where you buried Aunt Miranda to the grave with you. So I am now thinking of adding in additional keys that would be encryption escrow keys that were backed up in the same way as the master. i.e. encrypted in the cloud by default but with the option of keeping the binary blob yourself.
- [Endymail] Parts of the problem - managing privat… Phillip Hallam-Baker