[Cryptography] Master key rollover in the Mesh

[Phillip Hallam-Baker]

One of the key simplifications I made to the design of the Mesh was to
eliminate certificate expiry which provides little real utility and causes
a dramatic increase in complexity.

If a user only uses their master profile key to periodically authorize
administration devices, what does it matter if it is valid for 50, 100
years?

It has since occurred to me that I can in fact support a key rollover
mechanism using the key combination law that ECDH (and all DH variants)
supports and enrollment of the profiles in an append-only notarized log.

So imagine for the sake of argument that the user's original master
signature keypair is {a, a.P} and her fingerprint is therefore H(a.P). She
enrolls a profile containing a.P in the notary log.

Alice can now generate a new master key {b, b.P} and enrolls a rollover
assertion in the notary log. This is an assertion signed by key b. that it
is a rollover of the key a.P which it proves by providing the value (b-a).P.

One of the rules of the Mesh is that master keys are only ever used to sign
administration keys. And the reason you would probably want to be able to
rollover the master key is to revoke authorization of an administrative key
that was lost.

So we are going to need a little bit of glue to save the appearances here.
But we only need to play about with the key composition law etc when we are
validating the administration key.


I have not fully worked out the best way to apply this. But at least in
principle, we have a mechanism that can be used to disable use of a master
key and replace it with a new one.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190403/491e3421/attachment.html>