I'm not sure I buy this argument, the WoT is expected to be long-term,
if needing to do rotation of certification subkey, it sounds like you're
making it more temporary of sorts. Wouldn't just having a separate CA
key that is fully trusted (presumably locally signed and not exportable)
accomplish much of the same for more "temporary" signatures, i.e those
not exported to view of the rest of the ecosystem / external users?
--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
There are two tragedies in life. One is to lose your heart's desire. The
other is to gain it.
- George Bernard Shaw

you might have made the master key "more secure", but you've done so by
transfering the capabilities of the master key (certification) out to
the less-controlled keys. what's the win here? secret keys are not in
themselves important objects -- what's important is the capabilities
that the network assigns to the corresponding public keys.

Also, when some certification in a chain has an expiration date on it,
is the whole chain of certifications bound by the narrowest
("bottleneck") expiration date, or is there some other governing
principle?

And when a leaf certifiation expires earlier than marked because some
middle element in the chain becomes unusable (remember, subkey
expiration dates can change; subkeys can be revoked), how would you
present this change to the user?

And further still: how many levels deep should such a certification
chain go?

I think it's pretty easy to argue "0 levels" (i.e. "no
certification-capable subkeys") for simplicity of implementation and
usability concerns.

I'd suggest that no implementation is willing to argue for "∞ levels"
because at some point the chain of verification becomes too expensive to
cope.

Are you arguing for some particular limited level of depth? if so, how
do you justify that level?

--dkg

On Fri, 25 May 2018 12:26:54 +0200,
FWIW, this workflow does not require certification subkeys. You can
instead create two keys, an offline key and an online
certification-only key. Then, you *t*sign the certification key using
the offline key. This means that anyone who adds your offline key as
a trusted introducer will automatically trust your online
certification key. Check out Section 6.3.12 of the following text for
more details:

https://gnupg.org/ftp/people/neal/an-advanced-introduction-to-gnupg/an-advanced-introduction-to-gnupg.pdf

:) Neal

Hi Daniel,

Thanks for your comments. We want to put forth a more complete
proposal so that you hopefully better understand what we are trying to
do. This will hopefully clarify some of your concerns.

Forward Secrecy and Multi-Device Support
========================================

We want to support automatic forward secrecy in a multiple device
context. At least initially, we intend to do it a bit like Ian Brown
et al. described in their internet draft [1].

[1] https://tools.ietf.org/html/draft-brown-pgp-pfs-03

Basically, we want to automatically rotate encryption subkeys on a
regular basis. (Perhaps later we can figure out how to do something
like Signal's double rachet.)

If the user has multiple devices, we see two ways to do key rotation.

First, the primary device (however that is selected), periodically
generates a new encryption subkey, and somehow(!) shares it with the
other devices. If the user doesn't use the primary device for awhile,
and the subkeys expire, some other device will have to create the new
keys. But, this introduces a potential race.

Second, each device rotates its own encryption subkey. Whereas in the
first case, all devices did not strictly require access to a
certification-capable key, now all devices need access to one. The
simplest solution would be to just give each device a copy of the
primary key, as you appear to suggest. But, providing each device
with its own certification-capable subkey has the advantage that it is
possible to revoke a device. Users already understand this workflow:
if you have a google account, an amazon account, etc., it is possible
to decommission individual devices. Further, using
certification-capable subkeys makes it possible to keep the primary
key offline.

When the user revokes a device, the UI could ask the user whether
certification-capable subkeys signed by that key, and third-party
certificates created by that key should remain valid. For instance,
if "laptop" was used to provision "cell phone" and "laptop" is
decommissioned from "desktop", then decomissioning "laptop"
transitively decomissions "cell phone". To avoid this, "desktop"
could recertify "cell phone".

In the above example, we named the devices. It might be reasonable to
make this information first class. This way the UI can use sensible
names. Also, similar to Jabber with its named resources, it is easy
to imagine some advanced option that allows the sender to make her
message decryptable on only a subset of the recipient's devices.

Finally, if accidental commissioning of a fake device is a real
concern, the user's OpenPGP software could show a note when it detects
that a new device has been commissioned similar to: "It looks like
device 'foo' recently commissioned device 'bar', if this was not
intended, then 'foo' was probably compromised."

Forward Secrecy
===============

The basic idea behind forward secrecy is that old keys are deleted
after a sunset period. OpenPGP has traditionally been used to protect
both data at rest as well as data in motion. At first blush, this
usage appears to be at odds with forward secrecy. But, OpenPGP
actually already has provisions for forward secrecy. Moreover, it is
possible to have both transport encryption and storage encryption in a
backwards compatible way.

First, OpenPGP foresees two types of encryption keys:

0x04 - This key may be used to encrypt communications.
0x08 - This key may be used to encrypt storage.

https://tools.ietf.org/html/rfc4880#section-5.2.3.21

When generating a key in Sequoia, we intend to generate two encryption
subkeys: a communication encryption subkey, and a storage encryption
subkey. When a program using Sequoia wants to encrypt a message, it
specify whether protection is only needed during transportation or
whether the message is intended to be archived.

Since only one storage encryption subkey is needed (it is not
rotated), it can be stored on a smart card (along with the primary
certification key!).

It turns out this usage is nearly completely backwards compatible to
GnuPG: when GnuPG generates an encryption capable subkey, it makes it
both a communication and a storage encryption key. The only issue, is
that if there are multiple valid encryption subkeys, GnuPG only uses
the newest one, AFAIK. But, there is precedence for encrypting to all
valid encryption capable subkeys: this is what OpenKeychain does.

Session Key Store
=================

People assume that, e.g., their email remains readable long after
they've received it. Unfortunately, if we use forward secrecy and
don't change the MUAs to locally store the decrypted message, this
will no longer be the case. To work around this, we can maintain a
session key store. This is just a map from an encrypted session key
to the decrypted session key. Then, once a message is decrypted, we
don't need the asymmetric key to decrypt it again.

Unfortunately, if the session key store is somehow compromised, this
means that a copy of the message remains decryptable even if the user
deleted the message. This can be partially mitigated by allowing
programs (e.g., a MUA) to purge session keys when they delete the
message. Of course, this is not so easy when there are multiple
devices. But, even ignoring this problem, having a session key store
is no worse than the status quo. And, if this behavior is embraced,
developers will hopefully change their software to improve their
behavior. Changing notmuch would probably be very straightforward.


Alternatively, we could keep old messages readable by reencrypting the
session key using, e.g., the storage encryption key. This requires
the ability to rewrite the message, which is not always possible or
desirable.

Another option is to not actually delete the old encryption subkeys,
but to encrypt them using the storage encryption key.

Key Distribution
================

If we aggresively rotate keys (and, we are currently thinking of doing
this once a week), then we need to distribute the keys. The key
servers appear to be a convenient way to do this. But, many users are
concerned about having their personal information published. To
resolve this conflict, we plan to *not* publish user id or user
attribute packets. This is better than Signal's key servers, which,
AIUI, associate keys with telephone numbers.


Key Rotation
============

To avoid having a period of time during which no encryption-capable
key is available for a device either because the device hasn't had an
opportunity to generate new keys, or the sender hasn't been able to
refresh the key from the key servers, we plan to publish keys in
advance. For instance, we will create keys covering, say, the next 6
months. By setting the creation time and expiration time
appropriately, only one key per device will be valid at any given
time. AFAIUI, recent versions of GnuPG respect this.

We plan to generate new keys when a low-water mark is reached, say,
three months before the last key expires.


On Fri, 25 May 2018 22:00:58 +0200,
This is leaked in other ways. And, this is also leaked by Signal,
AFAIUI. If this is a serious concern, it would be possible to publish
decoy keys.
I don't understand this. Using a certification-capable subkey, there
is still only a single cryptographic identity established by the
primary key.
I don't understand this argument either: if someone is able to trick
me into generating an extra certification subkey and sending it to
them, they could probably just as easily trick me into send them a
copy of my master key.
If the primary certification-capable key is offline, then we can't
easily do key rotation.
Perhaps. But, regularly transmitting key material seems like a bad
idea. If the new subkey is encrypted using the old one, then if an
attacker exfiltrates any subkey, it is possible to get all subsequent
ones. If the subkeys are created on the device, then when the subkeys
are rotated, the attacker's access is lost and the exfiltration must
be repeated.
I don't think that the added complexity is that large. When I verify
a signature, I can't assume it was made by the primary key, but I need
to find the right certification key, and also validate that key, if it
is not the primary key.


:) Neal & Justus