[Cryptography] Help please, considering design of personal CA for PPE
Theodore Ts'o
tytso at mit.edu
Tue Jun 17 19:14:01 EDT 2014
On Tue, Jun 17, 2014 at 10:04:29PM +0100, ianG wrote:
> >
> > When people endorse each other's keys in this scheme they are going to
> > be endorsing their lifelong phingerprint corresponding to a masterroot,
> > not the subroot or use keys.
>
> What happens when Alice loses control of her lifelong key? How does she
> encourage others to switch to a new one? Can she sign on to her own new
> lifelong with the old subroot?
The question of how the lifelong key will be (a) protected so an
adversary can't obtain the private components, but (b) available so
Alice and resign the subkeys periodically is to perhaps the trickiest
part of the design IMO. If the private components are encrypted, then
the risk is that Alice will forget the password, especially if it is
but rarely used. And if they aren't encrypted, then they will be
subject to being disclosed to an authorized party. Sure, you can
break it apart using some secret sharing scheme, but how does that
scale? And it doesn't solve the problem of how the individual
components are protected --- they are either encrypted, in which case
the problems are whether or not the passwords are strong, and whether
or not the passwords get forgotten, or they aren't encrypted, in which
case how do you protect them from being stolen?
Even if they are written on a piece of paper using a QR code, or some
such, the piece of paper still has to be protected somehow. Do you
trust putting it in a safe deposit box? Does your threat environment
includes the possibility of a court order demanding access to said
safe deposit box?
There are solutions, but they all involve tradeoffs.
- Ted
More information about the cryptography
mailing list