'sign (and cert)' or just 'cert' on a master key with subkeus

Andrew Gallagher andrewg at andrewg.com
Mon Jul 31 17:28:27 CEST 2017 

On 2017/07/31 15:44, Mario Figueiredo wrote:
> On a separate tutorial (2), Alan Eliasen strongly advises against 
> this practice.

He does, but his argument is weak. The meat of it is:

> Unless everyone that you communicate with regularly does something 
> like:
> 
> gpg --refresh-keys
> 
> to find out that keys have been revoked, they may never even know 
> that you revoked the signing key, and they will continue to trust 
> your signature.
> 
> If the person who stole your laptop (and thus your secret keys) could
> ever impersonate you (because they guessed the password for your
> secret key), then they can forever decrypt all the communications
> sent to you with that same key if you follow the "perfect keypair"
> advice.
> 
> Allowing your attacker to read your encrypted communications forever,
> and pretending it didn't happen, is extremely bad and wrong 
> cryptographic practice, obviously. If your decryption key is stolen,
> revoke that entire keypair and never use any part of it again!
> Otherwise, your attacker can forever read messages encrypted to your
> public key.

There are two enormous holes in this argument:

1. If the people you communicate with regularly don't do "gpg
--refresh-keys" regularly they won't find out whether *anything* has
*ever* been revoked. So they will continue to trust your bad signature
regardless of whether you're using a subkey, a primary key, a wax seal,
thumbprints in blood, whatever. This is a completely separate argument.

2. He seems to be operating under the impression that encryption subkeys
can't be individually revoked, which is complete nonsense. And no matter
what you do after your encryption key is compromised, yes of course all
your past communications using that key are still readable by the
attacker. But again, that's the case with or without subkeys.

And of course he overlooks the strongest argument in favour of using
subkeys, and that's so you can put them on a hardware token and not have
to store them on your laptop at all.

The only bit where he has (half) a point is that it may be a good idea
to revoke your entire key because it is noisy, and therefore more likely
to be noticed (and your compromise paid due attention to) than if you
simply rolled your subkeys. But so long as your passphrase is good, it
shouldn't matter whether an attacker has a copy of your encrypted
privkey (see: RJH's NYT small ads offer) and rolling your subkeys is a
precaution against your passphrase having been keylogged at some point
prior to losing your laptop (remembering of course that if your laptop
had malware, it's Game Over anyway).

A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170731/fc9ed19c/attachment.sig>

More information about the Gnupg-users mailing list