[messaging] Verified key transitions (was: TOFU to ease PGP key discovery)

Trevor Perrin trevp at trevp.net
Tue Feb 10 22:36:01 PST 2015


On Mon, Feb 9, 2015 at 5:13 PM, elijah <elijah at riseup.net> wrote:
>
> (3) We need common practices for "verified key transitions".

Do you mean this:
 - When you replace your long-term key, the old key signs the new (and
maybe vice versa)?
 - When someone presents their new key with correct signatures, you
silently replace the old one in your local trust store (no key change
warning)

I wonder how useful that is.  Consider the reasons for key replacement:

1) You lost your old key
2) You're proactively replacing your old key
3) Your old key was compromised

This doesn't help (1).

It avoids the warning in (2), but adds complexity - a public key no
longer matches one fingerprint, now it can be verified by any
fingerprint that chains to it.  So your protocols have to deal with
these chains, and users will encounter situations where they had one
fingerprint for Alice before talking to her, and a different one
after.

(3) arguably becomes worse, because someone who steals your private
key can silently replace the public key your correspondents have for
you, just by messaging them.

I'm not sure this is a net positive.

Trevor


More information about the Messaging mailing list