Certification-only key

[Andrew Gallagher]

On 2017/06/06 14:38, Peter Lebbing wrote:
> However, if somebody has used a timestamping service to prove the
> signature was in fact really issued before the key expired, you'll have
> to claim that you had already disclosed the secret key back then. Even
> though you didn't. So you can't prove it with a timestamping service
> because it is not actually the case.

Ah, yes. I was thinking of the case where the signature was forged, not
one where the signature was genuine.

Repudiable signatures, like ephemeral keys, only really work in a
synchronous environment such as chat or TLS. The signatures are checked
automatically and thrown away before being presented to the user, which
allows them to be valid for very short periods of time (on the order of
seconds). The secret keys are then published (within the secure channel)
immediately. In such an environment, any discrepancy found by referring
to a timestamping service can be explained away by clock drift.

This reminds me of the side discussion at openPGPconf re ephemeral keys
for email. At some point you have to admit that data-in-motion and
data-at-rest security are fundamentally different beasts.

A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170606/8b551f92/attachment-0001.sig>