IETF Logo Mail Archive

Re: [openpgp] Clarify status of subkeys with certification use

Leo Gaspard <ietf@leo.gaspard.ninja> Fri, 25 May 2018 21:54 UTC

Return-Path: <ietf@leo.gaspard.ninja>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2C5C12D0C3 for <openpgp@ietfa.amsl.com>; Fri, 25 May 2018 14:54:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=leo.gaspard.ninja
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X8EIcuS02MXJ for <openpgp@ietfa.amsl.com>; Fri, 25 May 2018 14:54:28 -0700 (PDT)
Received: from smtp.gaspard.ninja (grym.ekleog.org [94.23.42.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44AA6128959 for <openpgp@ietf.org>; Fri, 25 May 2018 14:54:27 -0700 (PDT)
Received: by smtp.gaspard.ninja (OpenSMTPD) with ESMTP id 4f09a8f0; Fri, 25 May 2018 21:54:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=leo.gaspard.ninja; h=subject:to:references:from:message-id:date:mime-version :in-reply-to:content-type:content-transfer-encoding; s= grym-20170528; bh=TgIeO1jbOuKVyOGGOPCY+lcDmfM=; b=Xh17jCk2z9Rgud qoCbhKSsY3+Ao1Tbnj4WQ8gSWGnUbFkKubzVJpts4ovnAi37kUKeaQwSzJz6SEkO /CfMuN2RanlL7vHCqFd+ANzWRMu/Y9ml66aX/u9Q1U/qwyr59RE+5tow6NQ1yMA0 ghY4JDHUEdoRmlr2pXrw61o+ib9V0=
Received: by smtp.gaspard.ninja (OpenSMTPD) with ESMTPSA id 891bfd02 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO); Fri, 25 May 2018 21:54:21 +0000 (UTC)
To: Kristian Fiskerstrand <kristian.fiskerstrand@sumptuouscapital.com>, openpgp@ietf.org
References: <c37c7f94-edef-7f2d-9151-787112abcbfc@sumptuouscapital.com> <8736yg2gz3.wl-neal@walfield.org> <7dcf3192-e004-c95f-7b62-cdbb31f40c0d@leo.gaspard.ninja> <df76b04b-8fc2-0ced-5415-744dc8032c4a@sumptuouscapital.com>
From: Leo Gaspard <ietf@leo.gaspard.ninja>
Message-ID: <df55ad0c-cfc8-37dd-5f63-565f2ae7e1be@leo.gaspard.ninja>
Date: Fri, 25 May 2018 23:54:21 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <df76b04b-8fc2-0ced-5415-744dc8032c4a@sumptuouscapital.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/lgsyap1De3yiUaXb9ph86tsVBR4>
Subject: Re: [openpgp] Clarify status of subkeys with certification use
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 May 2018 21:54:31 -0000

On 05/25/2018 05:25 PM, Kristian Fiskerstrand wrote:
> On 05/25/2018 12:26 PM, Leo Gaspard wrote:
>> Another use case supporting this opinion: certification subkeys are also
>> a way to increase the security of an offline OpenPGP key, as with them
>> it becomes possible to put the master key behind a diode while still
>> being able to certify keys, and only ever move data out:
>>  1. On the machine with the master key, generate a certification subkey
>>  2. Move the certification subkey to another system, less trusted
>>  3. Push the to-be-signed key to this other system
>>  4. On this other system, certify the to-be-signed key
>>  5. Rotate the certification subkey from time to time to be able to
>> revoke one were it compromised
> 
> I'm not sure I buy this argument, the WoT is expected to be long-term,
> if needing to do rotation of certification subkey, it sounds like you're
> making it more temporary of sorts. Wouldn't just having a separate CA
> key that is fully trusted (presumably locally signed and not exportable)
> accomplish much of the same for more "temporary" signatures, i.e those
> not exported to view of the rest of the ecosystem / external users?

Sorry if I was unclear, the idea was not to make the certification
subkey temporary, but to only use it for a given period of time, and
then delete it (while not revoking or expiring it).

This way so long as there is no compromise of the certification subkey
things stay exactly the same, but when a certification subkey is
compromised (eg. because it had to parse a malformed public key to sign
it, or due to an attack on the way the data was transferred or any other
attack), it can simply be revoked, without compromising the master key
and its UID signatures.

The idea of rotation was thought to not invalidate all the
previously-made signatures in case of compromise, but an alternative
could be to not rotate so long as the certification subkey is not
compromised, and on certification subkey compromise tighten the WoT by
that much.

Sorry for the wording of point 5, it was not clear at all indeed.
Hopefully it's better now.

v2.23.0 | Report a Bug | By Email