Re: [openpgp] Clarify status of subkeys with certification use
Leo Gaspard <ietf@leo.gaspard.ninja> Sun, 27 May 2018 17:00 UTC
Return-Path: <ietf@leo.gaspard.ninja>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7490A12F28C for <openpgp@ietfa.amsl.com>; Sun, 27 May 2018 10:00:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=leo.gaspard.ninja
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lBWh8UWEgVsY for <openpgp@ietfa.amsl.com>; Sun, 27 May 2018 10:00:10 -0700 (PDT)
Received: from smtp.gaspard.ninja (grym.ekleog.org [94.23.42.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9212B126D0C for <openpgp@ietf.org>; Sun, 27 May 2018 10:00:09 -0700 (PDT)
Received: by smtp.gaspard.ninja (OpenSMTPD) with ESMTP id eb237c09; Sun, 27 May 2018 17:00:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=leo.gaspard.ninja; h=subject:to:cc:references:from:message-id:date:mime-version :in-reply-to:content-type:content-transfer-encoding; s= grym-20170528; bh=UP68bLPcB6/NTOWSgwt9B10TKN0=; b=b5hP5OrLRD1iQA MqTYmaPm9yIk2ZrBspFYw//7M9LsK2Vqw3sJxZyMqdxmhpt3sVTNzemSA0604nA6 zVl9tkpAh9Pc9lMpc8y6gfTaARmCPR8Ap+3tuwcfwqesgAGUOoRXkCmKqWgudLcu iv41JtLFtV2BPOvtm7fRgPIYYeDrs=
Received: by smtp.gaspard.ninja (OpenSMTPD) with ESMTPSA id 2187ffd3 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO); Sun, 27 May 2018 17:00:05 +0000 (UTC)
To: "Neal H. Walfield" <neal@walfield.org>
Cc: openpgp@ietf.org
References: <c37c7f94-edef-7f2d-9151-787112abcbfc@sumptuouscapital.com> <8736yg2gz3.wl-neal@walfield.org> <7dcf3192-e004-c95f-7b62-cdbb31f40c0d@leo.gaspard.ninja> <874lit1m22.wl-neal@walfield.org>
From: Leo Gaspard <ietf@leo.gaspard.ninja>
Message-ID: <58cf1a73-12cf-0f86-d23c-1603273aabe2@leo.gaspard.ninja>
Date: Sun, 27 May 2018 19:00:04 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <874lit1m22.wl-neal@walfield.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/bCcqbq6nfdv5r3udq8sMQWLywRA>
Subject: Re: [openpgp] Clarify status of subkeys with certification use
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 May 2018 17:00:13 -0000
On 05/27/2018 11:32 AM, Neal H. Walfield wrote: > On Fri, 25 May 2018 12:26:54 +0200, > Leo Gaspard wrote: >> Another use case supporting this opinion: certification subkeys are also >> a way to increase the security of an offline OpenPGP key, as with them >> it becomes possible to put the master key behind a diode while still >> being able to certify keys, and only ever move data out: > > FWIW, this workflow does not require certification subkeys. You can > instead create two keys, an offline key and an online > certification-only key. Then, you *t*sign the certification key using > the offline key. This means that anyone who adds your offline key as > a trusted introducer will automatically trust your online > certification key. Check out Section 6.3.12 of the following text for > more details: > > https://gnupg.org/ftp/people/neal/an-advanced-introduction-to-gnupg/an-advanced-introduction-to-gnupg.pdf > > :) Neal Indeed it's already possible, the issue with this solution being that people willing to rely on signatures by the master key now need to download two keys (the master key and the trusted introducer), and another one after any compromise, while certification subkeys are downloaded and updated at the same time as the master key, thus making for more easy-to-use WoT. Then, I do agree that it's a somewhat infrequent use case, which is the reason why I did not post it here until you came with a more convincing one :) Leo
- [openpgp] Clarify status of subkeys with certific… Kristian Fiskerstrand
- Re: [openpgp] Clarify status of subkeys with cert… Daniel Kahn Gillmor
- Re: [openpgp] Clarify status of subkeys with cert… Neal H. Walfield
- Re: [openpgp] Clarify status of subkeys with cert… Leo Gaspard
- Re: [openpgp] Clarify status of subkeys with cert… Kristian Fiskerstrand
- Re: [openpgp] Clarify status of subkeys with cert… Kristian Fiskerstrand
- Re: [openpgp] Clarify status of subkeys with cert… Daniel Kahn Gillmor
- Re: [openpgp] Clarify status of subkeys with cert… Daniel Kahn Gillmor
- Re: [openpgp] Clarify status of subkeys with cert… Leo Gaspard
- Re: [openpgp] Clarify status of subkeys with cert… Leo Gaspard
- Re: [openpgp] Clarify status of subkeys with cert… Neal H. Walfield
- Re: [openpgp] Clarify status of subkeys with cert… Neal H. Walfield
- Re: [openpgp] Clarify status of subkeys with cert… Neal H. Walfield
- Re: [openpgp] Clarify status of subkeys with cert… Leo Gaspard
- Re: [openpgp] Clarify status of subkeys with cert… Neal H. Walfield
- Re: [openpgp] Clarify status of subkeys with cert… Leo Gaspard
- Re: [openpgp] Clarify status of subkeys with cert… Neal H. Walfield
- Re: [openpgp] Clarify status of subkeys with cert… Werner Koch