Secret splitting w/ threshold

Werner Koch wk@gnupg.org
Sat Mar 23 11:48:02 2002


On Fri, 22 Mar 2002 18:11:56 -0600, Ryan Malayter said:

> Finally, the secret-sharing built into the commercial PGP, while pretty

s/commercial/proprietary/

> passphrase material. What secret sharing capabilites are coming in GnuPG?
> Will it be able to share any secret?

OpenPGP does not define any key splitting algorithm.  I have some
doubts whether this can be accomplised at all using the OpenPGP
protocol.  The hard thing with key splitting is to get the usability
right.  What PGP provides is not sufficient because (afaik) all parts
most be combined on the same machine this does not increase the
security unless that machine is physical secure and provides a clean
protocol to combine the keys.

If your goal is that 2 persons have to sign a document to get a valid
signature, you should setup an organisation policy to enforce this and
use 2 simple signatures.  It is definitely possible to add some policy
enforcement rules to GnuPG.

  Werner