offline primary keys [was: Re: Why 2.1 is delayed for so long]

[David Shaw]

On Sep 24, 2014, at 6:17 AM, Ximin Luo <infinity0 at pwned.gg> wrote:

> On 24/09/14 06:16, David Shaw wrote:
>> On Sep 23, 2014, at 5:51 PM, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
>> 
>>> As for Ximin's goals: I think the transition process could look like this:
>>> 
>>> 0) add a signing-capable subkey
>>> 1) remove signing-capability from primary key
>>> 2) move primary key offline
>> 
>> I understand the desire for steps 0 and 2, but I do not see the need for step 1. You can do 0 and 2 without doing 1.  Can you explain why you want 1?
>> 
>> I see actual problems for a primary key that can't issue signatures as well as certifications.

[..]

> What problems do you see?

When certifying someone's key, you are signing the combination of the primary key and the user ID in question.  In addition to the usual checking of IDs and fingerprints, It is reasonable [1] to send a challenge token to the email address (if there is one) in the user ID.  Responding to this challenge with a signed message, quoting the token, proves that the email address reaches someone who has access to the private key that matches the primary key you are signing [2].

If the primary key can't sign, they can't respond to this challenge.  A signing subkey isn't sufficient here, as it can be attached to any number of keys, so a signature from it does not prove access to the primary key.  Backsigs don't help this problem since backsigs only protect against a "stolen" subkey - not against one that is intentionally attached to multiple primary keys.

David

[1] See, for example, https://dougbarton.us/PGP/PGP-Keysigning.pdf
[2] Note I'm not saying that this is necessarily the same entity who you met and checked fingerprints with ;)