IETF Logo Mail Archive

Re: [openpgp] Clarify status of subkeys with certification use

Kristian Fiskerstrand <kristian.fiskerstrand@sumptuouscapital.com> Fri, 25 May 2018 15:25 UTC

Return-Path: <kristian.fiskerstrand@sumptuouscapital.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 484FD127863 for <openpgp@ietfa.amsl.com>; Fri, 25 May 2018 08:25:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.245
X-Spam-Level:
X-Spam-Status: No, score=-1.245 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665, T_DKIMWL_WL_MED=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sumptuouscapital-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wUNS_z9i3AIy for <openpgp@ietfa.amsl.com>; Fri, 25 May 2018 08:25:43 -0700 (PDT)
Received: from mail-wr0-x233.google.com (mail-wr0-x233.google.com [IPv6:2a00:1450:400c:c0c::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C88B61271DF for <openpgp@ietf.org>; Fri, 25 May 2018 08:25:42 -0700 (PDT)
Received: by mail-wr0-x233.google.com with SMTP id y15-v6so9906014wrg.11 for <openpgp@ietf.org>; Fri, 25 May 2018 08:25:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sumptuouscapital-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to; bh=Ni3ogK3tSDaQY0kVcpU4mCqmn/TcMYLXCdtYmNIcGd8=; b=DTiAmrqHkJ/1N04TwB4dJqEsvBAe0vbZukIv7/wu2aYFaWkO1NfAz5f9q1GnaWnnoR nVLwCGE20peKElWZDXtUXvLE6VH5SbJxYGjlCHRqIPrY++3xtwKioIUMkYT2fBFw8zLm YvkA4tH1Ke8TULrNPF9jBrBOw+PmBNF1B6d4HART5mNXVjg+0IaNcGpCRaYMSGCgGqGy FMaMuwjdeq22gzZel8mc7rdA09TKAy4lz8TmmDVtqehU3s25CYMbB+VSMnKXmPZ8geXP wanjcEMDOXHp0r8wrh+FzbbKrVJcYFAhxYkAhuAm6/sjQ8LhW4duKX142Ilk4hPa44Jw BjwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to; bh=Ni3ogK3tSDaQY0kVcpU4mCqmn/TcMYLXCdtYmNIcGd8=; b=lumbnXHoa1L30qpu5HsMYF2z8CLuudIkGH70dfEbWrd1865JhMPBjhcAG7OJ0GiEBw 28EFjTUWGjDUC3KCLMx63/MnPEKK9weK4hlR9ZrD1tuKKPBFqKFtms0bSHHUplt/WbGa ZlsuY4ppWavy3V4E2zAjZQxZ/IKVQBZtvTWvfLgyLoejimJFIy7PoDjLa9rDHXYqZEhe jHvm53uQIBKhNImeE3W0FjRgjLMg/p2sMmScT1tzMbq1MMM12hKja6i+/bpgYfMfNSOg pRcfZMP3szSD4psEdYnpsrtMgyrp4wayDLcHVvLTrFWuTAPVEjf4JEJmh8eEA2HO+nI1 j1VA==
X-Gm-Message-State: ALKqPwdpuqc5mQoO0ssZ1bbmh6FCs4l4GMDmt3eGIX66Bv9CsCBorG0V rFbXISTZjSY+aTxYtc3QvNiBak7NKuk=
X-Google-Smtp-Source: ADUXVKKUW0CCMI6YTt0mctKbqsTnJGdQQJukyhkM43UCYv6owF4G89pXfRReibqFxpDr/7Rym5vDhA==
X-Received: by 2002:a19:1714:: with SMTP id n20-v6mr1819793lfi.54.1527261940974; Fri, 25 May 2018 08:25:40 -0700 (PDT)
Received: from [192.168.185.150] ([195.69.7.73]) by smtp.googlemail.com with ESMTPSA id u8-v6sm4530209ljg.40.2018.05.25.08.25.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 25 May 2018 08:25:40 -0700 (PDT)
To: Leo Gaspard <ietf=40leo.gaspard.ninja@dmarc.ietf.org>, openpgp@ietf.org
References: <c37c7f94-edef-7f2d-9151-787112abcbfc@sumptuouscapital.com> <8736yg2gz3.wl-neal@walfield.org> <7dcf3192-e004-c95f-7b62-cdbb31f40c0d@leo.gaspard.ninja>
From: Kristian Fiskerstrand <kristian.fiskerstrand@sumptuouscapital.com>
Openpgp: preference=signencrypt
Autocrypt: addr=kristian.fiskerstrand@sumptuouscapital.com; prefer-encrypt=mutual; keydata= xsFNBEdj//4BEAC3zjKRryW1mLec38x0w9ByG50h6KJddkZe3UNdGhAa3S5E4NAi/fUoe3gD LUDDmpHZNqtbMgrobwUNjLrp+PDZNdMJFAnbWXvmsMwuax0SWJzy4alem34tvir3a2PpnVr9 ylyAyxPChMM0ANelT/fiYIEysjAbHXjri89qdT+yA16CMljoun7vIOmq7ohKdNd1Dci6qoyj 0NllvR2AiBI+ZJnoF4hkRKO1PNUJROzn/ku88idaNkWyq7rREI+WkhS+K6xg1R/d6mTp+bHP tmwGlN4U1Lgx9qeitYzirkQeA8EGK/EEPPZG85WvXSrTftoPvQswOtW7I+jkTdd30GHXf6JH Rq4oR0mT65mqckycPjXNw6RM0fxyx06/kbVG8x3tzc3roJF+hR+h5QWIWsQOc3ZAhbJPWnfP D/kEN20yvb6EXWha+70QJbrBsnN0M8MLF7x+ZWTKESOVpshUBG67iq/FWCpv3st2VTq4M0Ep b/ORIKlfEgSsGv6waooF0ik41ey3k6PIcuHTq/sCoFoC6EH75wqsbmLkVSyqTKm3MSjlN26d ei425iCXJSyH0L1WmeS0i0rzcF5BCu9V280DmNFHWkr4iHiyrVcNyccocMTeh6/ZG7XSI0wc TONVNnKtofVHkzwHMdDlDx4lFRG+V0ftimR5THlxtG8AzQKY9QARAQABzUJLcmlzdGlhbiBG aXNrZXJzdHJhbmQgPGtyaXN0aWFuLmZpc2tlcnN0cmFuZEBzdW1wdHVvdXNjYXBpdGFsLmNv bT7CwX8EEwEIACkCGwMCHgECF4ACGQEFCwkIBwMEFQoJCAUWAgMBAAUCWiWhXAUJFMX2sgAK CRALf4tg4+364/YeEACSDL8stCAArMoqgXlTAdAKQFedJHyoS2QFVzuLx+k7CCGt0jVrNh3d HRQ92pF2QJScWKw76/LHvh6lMBPJwBEXRIvQNDNUb/zyBx96FipC+Dkd8Fxu3s4W+6YCqUBa lmC5XKB6uF/W5wanvpAn1K8bvUb3sq86RYTD0qZui4LMhvm8A0A1Na4+ZeGyfBFhcH5Oh+nh wkZjL7mbMTe25QCeCs4wQpYowia70EZLcQF4MboF9GzH5PIb0ipG5Jtfk9QfSlT+bnkRL1KR DR6rHo7iAYcMt4oJVU1qo1akSBe0MsMI37OdWDtNvUy2Svd2BCLZl49KZnErleC3R/axrtkL 2w1f0P4FoiuPq7mPeiUBhLaZLlc2fz490cEwjsgsY6GuiCWlbyjBMtp0OKM4VBqt5tdxBo/R X5Y6kNOGWpDHx8D+Dl8ToTDJuH2I0k2wfcUibYzWfwXpPpwZ5iXidwLYXbBQ2qqlyB7MP3Po z3zl+UulJyxIYGjg2sO4FmmRs0tThceaNIiDtP5uPLu77oCkAAsWuFSfa6Iwq9+PIQTqTFhH nJ1v/xrdqKWSYB6tm9Tkb0KkUKxFhc7QVyphvh473UEAQ78bQFWrGHqiejQtiiR3MOubwUyt YkNi+ef068rs27SPfRmBAvRw2EMZWhWyX/P2xM4PPp24reOn4ZuAAM7ATQRVZfyNAQgAvppy gWUI21WpA8IZZC+HXywKOqAIXgEQG8m62kVE048A8gjwk8vcmDKU0vlD6OGZ0capeWzWK5kN Gi8kl4ejvgULXKQCAV8ycEUWXmBSmzabhGruMY96Hy1OILc9tb3Wpg3wggW+PZjc5IuLIa1k 9AiDg6SQExDhC27x1EUKZkxkIG+EThSKHbCFB3t4tbwlI8Na4LUfjOxCILA2KVl7CXD/eUNr apJeSGJOtYEhgNFhuHoSG7Po9k6cy2eRrviq9X9cEW10Y3ocCypKvenuUjrN4bUd0IUsODLy cZ3aL+zEmIdhZsG7dQeFmFeJKK+XDgLIMNgr+EP9+89U/COZ5QARAQABwsFlBBgBCAAPAhsM BQJXwxA2BQkE4salAAoJEAt/i2Dj7frjuDIP/2qDloXeGXfMLASc85cp09JLKrbISlTQZkvH WCQREQWzv9LJ4nUcELIhPTc18ntLhU+xJXLP+9d09cOlIiWWjRXXVCZ8IkcSkUplwCQz0Z2h XpmIOm/kycIDgo+qDCRrQhOCX3IhXGwslT7hWjUf/BlKN9f89Uy7VjBFLACOyP3hBZ1uLswN PcSfks/BzTtGTRZ/TEQxgmw0K2BwyJAwnMFqj8kQwc39P6euHln+33alzmUHDsp5rKUsMl58 x18jrV9KLokU/mDHZXoFeLY61dm9Nr46g+T9YYQagvGYfxIAyR9XcHeK1VxxCieSfC/jLKIT A9pu4Hgevl7DGm5/NHzUtqpwRwcbCqvj95Rgfe6lBwuD5g3olAXpZIQKbx73pWdoH0rwXGrQ Bs1weeFbIyVvoCozWoAoU7wVQSr8rHHZeq70b3Zp9DFdkXiSMu3LhU8Byl/spT3rQyLzCBoW DKDrKkifp+HV4mHoypxwD90CcEjeVObpCmhIEaxIDGKl2QaTm+RTwmVWCqr4YFv7QHRMmFVu STZpPmonZzK6VQJByeJMTDlbL0OpczJ8oVHp6txESKj/17xTs8JU1e/SSsdcYjFuLpzHvb97 0F5NQwMZeVuYRvJlCxL7z4Bpj7oPweATfwP43b+JWAser874u7AlBfonXTxe47pbYMioHPnb wsFlBBgBCAAPAhsMBQJaJaF0BQkGw/ojAAoJEAt/i2Dj7frjgbYQAIYDkXvyczRVnEZloYQb HsqjGwekWXTkTk74yYF5U+GoGGzbdFAmF2FhhWxlwIoPLtWoUXmdBknyqtAHCIlYrqPi0fsY 6SdIU3qdDDESjR9gixoPKOP5pFRC3KsPn0MNUXElbkdHvn0YSjuj0GdBi8YUa1XGRNW/O8PH 4HP900OipflQhuEC3yI5AYiq+Grd80RzJg8F108bn8YmoHapV5zZGfzp5L3pHCNOGsBlpTDr QA3XvlKti3AujaF88Nq3tj5kTsj73I30WOctGH3d9QWdySuK5RekAYvMSHU7M9oHtwV9dfVd RFbbuP4fhf+yF56Syu0k7jGe8e0d1xshwOMIXu8/3z4hYOpPfAvkl7n3QNHeqtT1KwRYqCCw KeK8pKZZlsBJ3D6XPuEZyTc/JIiZr8yALslTYubCCNyYQj7fByxM7neVPPaciNhbkGHImwfJ GPBSEuP/UXciroUcrvwwGfY76+WvezaU+O3SLcrT9i+emo9uA14Syb51RWz8h/x55Yu2UpON hArhearvW+0kJBx/YzG0Us7TLMNAiiQYlGibMmaBgRWW33vMXWT9H3FIN8L1NI/Qvy3/N0zD HawUOUvVMNtAzbWexFtxXQ7zyxLUBHHhFdezpWyXmm71qEaOMdDLnTwLqv3ENHUfZzmCc2Kt ZjTX0qrgBQD08nPn
Message-ID: <df76b04b-8fc2-0ced-5415-744dc8032c4a@sumptuouscapital.com>
Date: Fri, 25 May 2018 17:25:00 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <7dcf3192-e004-c95f-7b62-cdbb31f40c0d@leo.gaspard.ninja>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="tin3W6twNvoLs0cOxIfYpy7EK46dlwKAS"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/d1yhHTWtwIdm-3SLEzn-nExyXVA>
Subject: Re: [openpgp] Clarify status of subkeys with certification use
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 May 2018 15:25:45 -0000

On 05/25/2018 12:26 PM, Leo Gaspard wrote:
> Another use case supporting this opinion: certification subkeys are also
> a way to increase the security of an offline OpenPGP key, as with them
> it becomes possible to put the master key behind a diode while still
> being able to certify keys, and only ever move data out:
>  1. On the machine with the master key, generate a certification subkey
>  2. Move the certification subkey to another system, less trusted
>  3. Push the to-be-signed key to this other system
>  4. On this other system, certify the to-be-signed key
>  5. Rotate the certification subkey from time to time to be able to
> revoke one were it compromised

I'm not sure I buy this argument, the WoT is expected to be long-term,
if needing to do rotation of certification subkey, it sounds like you're
making it more temporary of sorts. Wouldn't just having a separate CA
key that is fully trusted (presumably locally signed and not exportable)
accomplish much of the same for more "temporary" signatures, i.e those
not exported to view of the rest of the ecosystem / external users?

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
There are two tragedies in life. One is to lose your heart's desire. The
other is to gain it.
 - George Bernard Shaw

v2.23.0 | Report a Bug | By Email