offline primary keys [was: Re: Why 2.1 is delayed for so long]

Ximin Luo infinity0 at
Thu Sep 25 12:05:28 CEST 2014

On 25/09/14 01:45, David Shaw wrote:
> On Sep 24, 2014, at 4:57 PM, Ximin Luo <infinity0 at> wrote:
>> On 24/09/14 20:28, David Shaw wrote:
>>>> When you certify a subkey, you mean "I and only I have access to the private component".
>>> It proves only "I have access to the private component(s)".  It proves you have access to the primary private key and subkey private key because you issued signatures from both of them as part of the certification.  It states nothing provable about any other potential people having access to the private keys.
>> Actually, it doesn't prove anything about the subkey. It is only a *claim*. Robert mentioned the difference between syntax and semantics in the other email; I do think it is a design flaw not to precisely define the *semantics* of certifications. But granted, this stuff wasn't well-explored when OpenPGP was set in stone.
>> There might be some magical crypto where we can prove mathematically that the same party owns two private signature keys, but I can't think of any way to do that right this minute, at least not with the elementary signature/encryption primitives that OpenPGP supports. And then we'd still have to expand "Certify" to mean "can be used for this purpose". And this is actually beyond your original scenario of merely proving possession of the master private key.
> Yes.  I was responding to your statement that "I and only I have access to the private component", which is subtly incorrect.  I agree with you that it is a *claim*, even a common claim, but it is not backed up by the math, which feels like a dangerous path to walk on.  Semantics like that need to be backed up reasonably closely by reality, or we can fool ourselves into thinking something is true (or safe) when it is may not be.  A safer statement (though still only an approximation) is "I have access to the private component".

It is *totally* incorrect. :) There is no proof mathematically even that "I have access to the private subkey". I could have added someone else's subkey, and they could have completed the verification on my behalf, against common standard. But does anyone have an incentive to do this?

I do agree that, ideally we should use maths to prove things whenever possible, but there are many things we cannot prove yet, binding two signature keys being one of them. There are things that seem fundamentally impossible to prove too, such as binding a key to a real-world identity. So, we should formalise semantics about *claims*, and develop reasoning to infer things from these claims.

You are right this is dangerous, but it is more dangerous to not have well-defined claims and have fallible humans make vague inferences based on that. With formal semantics, we know the dependency graph of inferences, so we know what goes wrong if a base assumption breaks. And everyone understands what it actually means for an assumption to break. The dependency graph can also help us figure out whether anyone has an incentive to break those assumptions.

> Take my example of certifying a key only if someone can prove primary key access.  I don't, and didn't, say "possession" as in your example above because the math doesn't prove that.  I also didn't say that the email reached the owner of the key (or even the owner of the email account).  I said "proves that the email address reaches someone who has access to the private key that matches the primary key you are signing".  The math does prove that much. The signature may have been obtained under duress, via hacking, via a stolen key, via trickery, or via any number of other means.  The email account may have been hacked or the particular mail in question lifted off of the computer (in other words the "access" could be pretty darn tenuous), but that private key plus the challenge were involved.  But skip the pedantry: obviously by signing the key I believe that the email reached the key owner (there's my claim), but I'm careful to not assert that as proven.

What do you think is the difference between "possession" and "access"? By "possession", I mean "can use the private key to perform private-key operations".

And what does mathematically proving possession of the master key really gain you? You can never prove possession of the subkeys, unless you perform the verification protocol with the subkeys directly too. As I mentioned, I don't think there is a way to mathematically bind two signature keys, i.e. proving the same party has possession of both of them; all the protocols I can think up right now, can be completed with two separate parties (excluding the challenger) that each only have access to one private key.

I do agree with the "mathematically prove whenever possible" principle though, and the master key is the most important thing to prove possession of, so it would be good to solve that. But I don't think an arbitrary-signature capability is worth it, just for this. Better to add things to a whitelist of what "Certify" means. Perhaps OpenPGP already has something that lets us do this, where we can certify a nonce and send it back? (We could certify a bogus public key like 0x000..., and put the nonce in one of the notations?)

> Seriously, though, I love the symmetry of your suggestion.  A key whose only purpose is to make subkeys is appealing, neat, and clean.  My own key, in fact, is almost exactly this architecture, chosen over 10 years ago for those same reasons.  It makes perfect sense for my use case, but that doesn't make my use case a good default for everyone.

But I don't see reasons that it wouldn't be a good default for everyone. The use-case you just mentioned, 99% of people won't even do. And even less people will care about the semantic difference between "prove possession/access to master key" vs "prove possession/access of subkey that is attached to a master key". If you are worried, you can just ask your contact "does anyone else have your private subkey" and hope they don't lie, just like you hope they don't lie about "does anyone have access to your email account".



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140925/33fa2a0e/attachment.sig>

More information about the Gnupg-devel mailing list