multiple subkeys and key transition

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Dec 9 23:32:52 CET 2010 

On 12/09/2010 04:33 PM, Robert J. Hansen wrote:

> Someone else exploits the old, insecure cert format in a way you don't
> like.

Again, can you give an example of such an exploit?

> Now you're stuck arguing, "wait, that's not my cert... well, it
> /is/ my cert, it's the same cert material, but it's /not/ my cert,
> because that's an old insecure format..."

This sounds confused mainly because you're not distinguishing between
public key material and certificates.  I grant that the distinction may
well not be understood by lawyers and judges, but the conflation of the
terms here makes it needlessly confusing.

Clearer:

"That is not my certificate.  It was revoked (marked as superseded) on
$date.  I continue to use the same key material in a different certificate."

And if addressing a hopelessly legally-minded audience in the USA, you
could add: "of course i didn't make that signature; it uses
$deprecated_algorithm, which i haven't used since NIST deprecated it
back in 2010."

Unless, of course, you didn't follow NIST's guidelines and continued to
use the deprecated algorithms.  Then you couldn't make that claim.

> Remember, in the eyes of the U.S. federal
> court system, MD5 is considered a strong hash with no known attacks
> against it.

Could you cite a reference for this?

> I don't trust the courts to understand these subtle nuances.

There are lots of attacks that can be used against a clueless judiciary,
including things like creating a new key and associating it with your
victim's user ID, generating back-dated signatures and certifications,
etc.  That doesn't make the clueless judiciary a good argument against
the use of User IDs or timestamped signatures and certifications, though.

> There is a big difference between something that is possible and
> harmless in a technical sense, and something that is possible but not
> recommended in a human sense.  Technically, yes, it's possible.  From a
> human factors perspective I would revoke the old cert, create a new one,
> make a clean break with the past and move forward.  Less opportunities
> for human factors to bite me in the posterior.

Except that you've now broken entirely with the past, which is itself a
human factor.  Smooth migration, phased upgrades, and planned
transitions are all good things from a human factors perspective.

Propagating a key across certificate formats might be a reasonable
approach for some of these goals (and of course, there may be other ways
to accomplish them too).

As part of the plans for a new OpenPGP certificate format, i certainly
hope we'll address ways to make the transition to the new format as
smooth as possible for most existing users.

>> Could you point to a reference that explains why a person with a v3 key
>> considered sufficiently-strong by that day's estimation (say, 1024-bit
>> RSA) would have had to create an entirely new key instead of just
>> migrating their old key to v4?
> 
> *Have* to?  None.

OK, how about "were recommended to", or any other reference that
discusses the topic for that key version transition?

My point here is to avoid the creation of FUD around a potential new
version of OpenPGP causing a lot of work, or discouraging people from
using stronger crypto.

The possibility (probability) of a new certificate format coming down
the pike eventually should *not* be used to discourage people from
migrating away from known-weak and deprecated cryptographic algorithms
today.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101209/6b89157c/attachment-0001.pgp>

More information about the Gnupg-users mailing list