[openpgp] Unuploadable Keys

[vedaal at nym.hush.com]

On 7/21/2015 at 5:11 PM, "Daniel Kahn Gillmor" <dkg at fifthhorseman.net> wrote:

>> Concretely, it should be possible to mark a key as not 
>exportable to a
>> keyserver or to provide a list of key servers (perhaps described 
>using
>> regular expressions as per Section 8 of RFC 4880) to which it 
>may be
>> exported.
>>
>>   This could be implemented as a new signature subpacket.
.....
>
>However, this arrangement (or your signature subpacket proposal) 
>has a
>set of problems that make it far from ideal protection, especially 
>in
>the face of potentially adversarial users:
>
> 0) Any existing key (one with a self-sig that does *not* have this
>    feature set) can't add this feature in a reliable way -- a new
>    self-sig can just be stripped out of the certificate and the
>    remaining certificate (with the previous self-sig) will be 
>back to
>    being "exportable".
>
> 1) The keyservers would need to respect the value and decline to 
>accept
>    or propagate such keys.  SKS currently doesn't even respect the
>    non-exportable flag for non-self-sigs
>    (https://bitbucket.org/skskeyserver/sks-keyserver/pull-
>request/20),
>    let alone verify the cryptographic validity of signatures.

=====

There could be a workaround, where the key is uploaded to the keyservers,
but functionally unusable except to individuals whom the key-creator wants to use it:

[1] Encrypt part of the public key symmetrically, the same way that the private key is symmetrically encrypted.

[2] Send the passphrase to whomever you want to send the public key, encrypted to their public key.

[3] Upload the key to keyservers.  It will be usable only by those whom you choose to give the passphrase.

(* Unless*  you misjudged someone to whom you sent the passphrase, and he turns maliciously on you, and uploads the decrypted form .... )


If such a key-type were implemented, would it need a change in 4880, other than a notice to allow it?


vedaal