dh key exchange via ascii email?

Ileana ileana at fairieunderground.info
Sat Mar 23 20:52:32 CET 2013

> I hadn't quite picked up on the "forward secrecy" bit in your
> original mail.
> Using subkeys, you can skip the signing. Just create throwaway
> encryption subkeys but don't change the primary key that receives the
> certifications.

OK, I kind of thought of that, and I the usability overhead of creating
a subkey, emailing the new public key, and having the recip do the same.

Thanks for the tip on using the !.
> I don't see any principal difference with the overhead of maintaining
> multiple ephemeral symmetric keys between multiple recipients.
> Asymmetric keys are more expensive to create computationally, but I
> think your computer will be able to cope. And all you'd need to do is
> create a few wrappers around GnuPG that force usage of the desired
> subkey (a bang will do that: -r 0xDEADBEEF! forces usage of that
> particular subkey. You might need to quote the exclamation mark for
> your shell).

I wasn't referring to the computation, but the ease of use.  If I am
emailing 4 recipients using symettric encryption, there is more forward
secrecy to be gained versus retrieval of 1 key if all conversations are
uing a different key, particularly if 1 conversation lasts 1 day, and
the others go on for months.  So you use a seperate key for each

In this case, I would create 4 subkeys, and my recipients would each
create 1.  

I believe you are right that this is essentially the same amount of
work from a usability perspective then my DH idea.  However, bring in
keyservers and smart cards into the equation, and this constant subkey
creation and deletion may end up being more of a pain.  Additionaly,
the subkey is linked to your key.

Imagine the scenario where Alice and bob email each other back and
forth and create a key via dh.  The value of that key is never sent over
email.  So an adversary that intercepts those emails and gains a PGP
key, can not necessarily link that conversation, with, for instance, a
symettrically encrypted PGP exchange that begins to appear in some

Would the same "anonymity" be achieved by using throwaway subkeys and
-R hidden recipients, as you suggest?  It would appear you are right,
that that approach would work also.


> HTH,
> Peter.

More information about the Gnupg-users mailing list