dh key exchange via ascii email?
ileana at fairieunderground.info
Sat Mar 23 20:52:32 CET 2013
> I hadn't quite picked up on the "forward secrecy" bit in your
> original mail.
> Using subkeys, you can skip the signing. Just create throwaway
> encryption subkeys but don't change the primary key that receives the
OK, I kind of thought of that, and I the usability overhead of creating
a subkey, emailing the new public key, and having the recip do the same.
Thanks for the tip on using the !.
> I don't see any principal difference with the overhead of maintaining
> multiple ephemeral symmetric keys between multiple recipients.
> Asymmetric keys are more expensive to create computationally, but I
> think your computer will be able to cope. And all you'd need to do is
> create a few wrappers around GnuPG that force usage of the desired
> subkey (a bang will do that: -r 0xDEADBEEF! forces usage of that
> particular subkey. You might need to quote the exclamation mark for
> your shell).
I wasn't referring to the computation, but the ease of use. If I am
emailing 4 recipients using symettric encryption, there is more forward
secrecy to be gained versus retrieval of 1 key if all conversations are
uing a different key, particularly if 1 conversation lasts 1 day, and
the others go on for months. So you use a seperate key for each
In this case, I would create 4 subkeys, and my recipients would each
I believe you are right that this is essentially the same amount of
work from a usability perspective then my DH idea. However, bring in
keyservers and smart cards into the equation, and this constant subkey
creation and deletion may end up being more of a pain. Additionaly,
the subkey is linked to your key.
Imagine the scenario where Alice and bob email each other back and
forth and create a key via dh. The value of that key is never sent over
email. So an adversary that intercepts those emails and gains a PGP
key, can not necessarily link that conversation, with, for instance, a
symettrically encrypted PGP exchange that begins to appear in some
Would the same "anonymity" be achieved by using throwaway subkeys and
-R hidden recipients, as you suggest? It would appear you are right,
that that approach would work also.
More information about the Gnupg-users