Best practice for periodic key change?

Hauke Laging mailinglisten at hauke-laging.de
Tue May 10 15:26:30 CEST 2011 

Am Dienstag, 10. Mai 2011, 07:10:42 schrieb Jerome Baum:

> an option for GnuPG: reject-subkey-signatures

> No need to change OpenPGP for this.

This is possible only if it is safe for old implementations. I see one option 
for that: A signature notation for this purpose could be defined and this 
notation could be marked critical. The standard says:

"If a subpacket is encountered that is marked critical but is unknown to the 
evaluating software, the evaluator SHOULD consider the signature to be in 
error."

I don't understand whether this refers to the packet type or the packet 
content. If an implementation knows what a notation is (and shows it) but does 
not know the meaning of the new standardized notation what is it supposed to 
do according to RFC 4880? Generate an error saying "I don't understand what 
this notation is about" or signal success saying "I recognize this as a 
notation. (And I don't care about its content.)"?

If the recognition refers to the content then it's easy. There would be the 
practical problem left to check how the (relevant) implementations behave. 
It's no use if you are theoretically right but it is trivial to trick people 
into acceptance of wrong signatures because an often used software does not 
work right.

A safe solution should be to define a new packet type. That might be a generic 
"notation with critical content" type. This would behave like a notation with 
the difference that the recognition check is extended to the content (if this 
packet is marked critical?).

But if the standard is extended then it makes more sense to have subkeys 
certified explicitly instead of forbidding the acceptance of normal subkeys in 
general.


> The CA would then sign the master key that is generated on-card, and the
> certification just won't apply to the sub-keys. Does this solve the "all
> signatures _must_ be generated on-card" issue?

In theory. The practice problem remains: Do "all" implementations behave that 
way.


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20110510/de074369/attachment.pgp>

More information about the Gnupg-users mailing list