Sharing/Storing a private key

[Doug Barton]

On 12/18/2013 08:53 AM, Peter Lebbing wrote:
> On 16/12/13 23:41, Doug Barton wrote:
>> but one argument against what you're suggesting is that it's only as secure
>> as the encryption used in step 1 of the hybrid approach.
>
> If only everything in cryptoland was "only as secure as 3DES"...

I understand that you're not interested in an argument that the 
encryption of the entire secret may not be secure, but everything is 
secure right up until it isn't. (Robert, please ignore my tortuous use 
of "secure" in that sentence.) :)

>> The ability to apply SSS to the entire secret would be quite valuable
>
> I don't see why. If this is because you avoid "insecurities in symmetric
> crypto", I just don't buy it. Otherwise, please explain.

Completely aside from the possibility (however remote) of the crypto 
failing, I'm also thinking of layer 9 issues that can come into play. 
For example I was the one who proposed using SSS to distribute portions 
of the root DNSSEC KSK to members of the community to provide a disaster 
recovery procedure should something catastrophic happen to ICANN. They 
didn't finish the root key protocol until after I left IANA, and what 
they ended up doing instead was using a HSM to store the key. But they 
did end up using SSS with members of the community to share the password 
for the HSM, for the same reason I proposed.

If the HSM hadn't come into play the politically expedient thing to do 
would have been to distribute pieces of the secret, rather than pieces 
of the key used to encrypt the secret. Now I realize that most of the 
people on the list aren't interested in layer 9, but some of us live in 
a world where it is necessary to do so. :)

>> although your concern about entropy use is something that should be addressed
>> explicitly.
>
> And how do you propose to do that?

I don't, I was suggesting that your concerns are valid and that the 
author of the new software is responsible for addressing them.

Doug