offline primary keys [was: Re: Why 2.1 is delayed for so long]

Thu Sep 25 02:45:53 CEST 2014

On Sep 24, 2014, at 4:57 PM, Ximin Luo <infinity0 at pwned.gg> wrote:

> On 24/09/14 20:28, David Shaw wrote:
>>> When you certify a subkey, you mean "I and only I have access to the private component".
>> 
>> It proves only "I have access to the private component(s)".  It proves you have access to the primary private key and subkey private key because you issued signatures from both of them as part of the certification.  It states nothing provable about any other potential people having access to the private keys.
>> 
> 
> Actually, it doesn't prove anything about the subkey. It is only a *claim*. Robert mentioned the difference between syntax and semantics in the other email; I do think it is a design flaw not to precisely define the *semantics* of certifications. But granted, this stuff wasn't well-explored when OpenPGP was set in stone.
> 
> There might be some magical crypto where we can prove mathematically that the same party owns two private signature keys, but I can't think of any way to do that right this minute, at least not with the elementary signature/encryption primitives that OpenPGP supports. And then we'd still have to expand "Certify" to mean "can be used for this purpose". And this is actually beyond your original scenario of merely proving possession of the master private key.

Yes.  I was responding to your statement that "I and only I have access to the private component", which is subtly incorrect.  I agree with you that it is a *claim*, even a common claim, but it is not backed up by the math, which feels like a dangerous path to walk on.  Semantics like that need to be backed up reasonably closely by reality, or we can fool ourselves into thinking something is true (or safe) when it is may not be.  A safer statement (though still only an approximation) is "I have access to the private component".

Take my example of certifying a key only if someone can prove primary key access.  I don't, and didn't, say "possession" as in your example above because the math doesn't prove that.  I also didn't say that the email reached the owner of the key (or even the owner of the email account).  I said "proves that the email address reaches someone who has access to the private key that matches the primary key you are signing".  The math does prove that much. The signature may have been obtained under duress, via hacking, via a stolen key, via trickery, or via any number of other means.  The email account may have been hacked or the particular mail in question lifted off of the computer (in other words the "access" could be pretty darn tenuous), but that private key plus the challenge were involved.  But skip the pedantry: obviously by signing the key I believe that the email reached the key owner (there's my claim), but I'm careful to not assert that as proven.

>>> But yes, if OpenPGP does not formalise a meaning for certifications, that is a design flaw, not a problem with my proposal per se. Another way to solve it would be to allow the certify key to be used in formal "proof of possession" protocols such as what you described.
>> 
>> That would be fine as well, but that doesn't exist in OpenPGP today.  It's a bit like saying "go ahead and make a signature just for this case" though.
>> 
> 
> Well, proof-of-possession is quite a fundamental thing for a key that is supposed to represent "your identity", so I don't think this is that unnatural.

Or we could just leave things where primary keys can make signatures ;)

Seriously, though, I love the symmetry of your suggestion.  A key whose only purpose is to make subkeys is appealing, neat, and clean.  My own key, in fact, is almost exactly this architecture, chosen over 10 years ago for those same reasons.  It makes perfect sense for my use case, but that doesn't make my use case a good default for everyone.

David