[messaging] key validation rules for today

elijah elijah at riseup.net
Mon Sep 8 11:00:26 PDT 2014 

On 09/08/2014 06:38 AM, Daniel Kahn Gillmor wrote:
> On 09/08/2014 06:22 AM, Daniel Thomas wrote:
>> I think for key validation it is important to ensure that it says 'keys'
>> in all the appropriate places as in general users will likely have one
>> key per device (so that they fail independently) and several devices.
>> Does that seem sensible? 
> 
> With OpenPGP, you'd want to do this with subkeys -- so they're all part
> of the same OpenPGP certificate.  However, it's only sensible for
> signing keys.  for encryption keys, you really do need to share the key
> across all of your devices. this is because when someone encrypts a
> message to you, they need to know which key to encrypt to (and they'll
> generally only pick one).

Yes, the document is hand wavy about how subkeys work. If you read far
enough down, there is a section at the bottom about future support for
device keys, by requiring a practice that a client should encrypt to all
encryption subkeys that match the uid.

Even support for this would be a problem, since the goal with device
keys is to not need to share anything, so really you need a mechanism to
support multiple primary keys. I wonder, can you have multiple signing
and encryption keys under a single master signing key, and then export
these subkeys to a device but not export the master key?

For the moment, however, the assumption is that the recipient has a
single encryption key for a particular uid, since that is current practice.

>> Is it useful to distinguish between 'this is a new key,
>> signed by my old key which is now deprecated' and 'this is a new key,
>> signed by my old key which will keep on being used'?
> 
> The current way (in OpenPGP, when considering key transitions between
> primary keys) to distinguish between these cases is to revoke the old
> key.

As written, there is no mechanism for two primary keys used by Alice, so
there is no 'keep using an old key' with respect to Alice, but Bob is
free to publish two active primary keys if he wants and not revoke
either one. Different people would end up using different ones,
depending on how they happened to have discovered and validated the keys.

OpenPGP is wonderful in how flexible it is. OpenPGP is horrible in how
flexible it is. A lot of the minutia is still not worked out, but will
need to be at some point. Edits welcome. :)

-elijah

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140908/d24defe4/attachment.sig>

More information about the Messaging mailing list