published key security levels
Joel C. Salomon
joelcsalomon at gmail.com
Wed May 12 20:29:18 CEST 2010
On 05/12/2010 11:31 AM, Hauke Laging wrote:
> do you think it would be useful to integrate some information about the "usage
> security" of a key into the key?
<snip>
> Of course, it is not a problem to generate several keys for different levels
> of security. I would not want this key to be accepted for important contracts.
> For different level keys to be useful the users of public keys have to be
> enabled to recognise this level (with cryptographic security).
>
> My idea is to define some levels which can be added e.g. as signature
> notations to the key:
How about this? (I’ll reduce the security levels to two for my
suggestion, but it should scale.):
I generate two keys, one low-security (e.g., “Joel Salomon webmail”) and
one high-security (“Joel Salomon smartcard”). I sign the low-security
key with my high security key, but I don’t ask others to sign it; the
only key I put into the web of trust is my high-security key.
If the low-security key is compromised, can the attacker rename it (or
otherwise fool people into thinking it’s my high-security key) without
removing my (high-security) signature on the key?
—Joel C. Salomon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100512/6f9111af/attachment.pgp>
More information about the Gnupg-users
mailing list