offline primary keys [was: Re: Why 2.1 is delayed for so long]

Ximin Luo infinity0 at pwned.gg
Wed Sep 24 22:57:10 CEST 2014 

On 24/09/14 20:28, David Shaw wrote:
>> When you certify a subkey, you mean "I and only I have access to the private component".
> 
> It proves only "I have access to the private component(s)".  It proves you have access to the primary private key and subkey private key because you issued signatures from both of them as part of the certification.  It states nothing provable about any other potential people having access to the private keys.
> 

Actually, it doesn't prove anything about the subkey. It is only a *claim*. Robert mentioned the difference between syntax and semantics in the other email; I do think it is a design flaw not to precisely define the *semantics* of certifications. But granted, this stuff wasn't well-explored when OpenPGP was set in stone.

There might be some magical crypto where we can prove mathematically that the same party owns two private signature keys, but I can't think of any way to do that right this minute, at least not with the elementary signature/encryption primitives that OpenPGP supports. And then we'd still have to expand "Certify" to mean "can be used for this purpose". And this is actually beyond your original scenario of merely proving possession of the master private key.

So, we have to rely on reasoning about *claims*. And we can only do that if we have precise semantics. "I and only I have access to this private key" is a reasonable definition, but I understand it's not the formal standardised one. I am merely suggesting that in a real-world usage, you don't need to worry about it.

> This has the same issue as a signing subkey.
> 

Yes, I know. I was saying that in a realistic scenario, you might more easily be persuaded (:p) to assume that someone would not give their encryption subkey to someone else.

>> But yes, if OpenPGP does not formalise a meaning for certifications, that is a design flaw, not a problem with my proposal per se. Another way to solve it would be to allow the certify key to be used in formal "proof of possession" protocols such as what you described.
> 
> That would be fine as well, but that doesn't exist in OpenPGP today.  It's a bit like saying "go ahead and make a signature just for this case" though.
> 

Well, proof-of-possession is quite a fundamental thing for a key that is supposed to represent "your identity", so I don't think this is that unnatural.

X

-- 
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140924/b53801ef/attachment.sig>

More information about the Gnupg-devel mailing list