IETF Logo Mail Archive

Re: Forward Secrecy

Ian G <iang@systemics.com> Mon, 28 February 2005 20:15 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA02170 for <openpgp-archive@lists.ietf.org>; Mon, 28 Feb 2005 15:15:53 -0500 (EST)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j1SJoV2i001316; Mon, 28 Feb 2005 11:50:31 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j1SJoVKZ001314; Mon, 28 Feb 2005 11:50:31 -0800 (PST)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from www.enhyper.com (mailgate.enhyper.com [62.49.250.18]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j1SJoTj0001295 for <ietf-openpgp@imc.org>; Mon, 28 Feb 2005 11:50:30 -0800 (PST) (envelope-from iang@systemics.com)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by www.enhyper.com (8.11.6/8.11.6) with SMTP id j1SKnra04767 for <ietf-openpgp@imc.org>; Mon, 28 Feb 2005 20:50:09 GMT
X-Authentication-Warning: www.enhyper.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol
Message-ID: <42237702.50604@systemics.com>
Date: Mon, 28 Feb 2005 19:54:42 +0000
From: Ian G <iang@systemics.com>
Organization: http://financialcryptography.com/
User-Agent: Mozilla Thunderbird 1.0 (X11/20050219)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: ietf-openpgp@imc.org
Subject: Re: Forward Secrecy
References: <20050228184109.2C6BA57EBA@finney.org>
In-Reply-To: <20050228184109.2C6BA57EBA@finney.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit

Hal Finney wrote:

>http://www.links.org/dnssec/draft-brown-pgp-pfs-04.txt.
>
>   Using a series of encryption keys, each with a short lifetime,
>   reduces the information revealed by the compromise of any one private
>   key because each key protects less data.  If expired keys are
>   securely deleted, attackers will never be able to retrieve them to
>   decrypt captured ciphertext.  Therefore when a public encryption key
>   expires, an OpenPGP client MUST securely wipe the corresponding
>   private key [4].
>
>I don't agree that OpenPGP clients MUST always securely wipe expired
>private keys.  In the context of a user who wants PFS, this makes sense.
>But for a user who wants to be sure he can decrypt his messages, this
>is a bad policy.  For example, some mail systems may store the messages
>in encrypted form, and he needs to keep the key around in order to read
>those messages in the future.
>  
>

I'm inclined to think that this would be bad
practice.  If a mail system were to want to
keep mail around for encryption purposes,
I'd say it should re-encrypt the packet using
a local key.

The alternate - saving the encrypted message
in the form as it was sent over the network -
leads to all sorts of key management trouble
later on.  It means that keys have to be kept
around for as long as the oldest email, which
isn't really likely to please anyone.


>But this leads to a larger concern, which is that much of this draft
>specifies client behavior in a manner which has traditionally been out
>of scope for our working group.  We would not normally propose to give
>guidelines for UI such as the existence of a panic mode, and how clients
>should respond to it.  For example, we do not attempt to prescribe how
>client software should display signed messages, what information should
>be shown from a signature, or how to depict messages which are partially
>signed and partially unsigned.
>  
>

I'd agree with that.  Although, if PFS is to
be achieved, a certain amount of guidance
would be required ... to explain things like
"must wipe the transport key after re-encrypting."

>I won't try to go through the rest of the draft at this time.  As I said,
>I support the goal of PFS, but I am skeptical about whether it makes
>sense for our WG to promulgate such detailed advice on a relatively
>narrow aspect of security.
>  
>

One comment - the URL points to an ID, a draft
presumably heading for standards track.  Would
it make more sense to specify a more client-oriented
document if it was informational track?

iang

-- 
News and views on what matters in finance+crypto:
        http://financialcryptography.com/

v2.23.0 | Report a Bug | By Email