[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from keyring-maint



On Wed, 15 Sep 2010, Marco d'Itri wrote:
> On Sep 15, Christian PERRIER <bubulle@debian.org> wrote:
> > > I would like to know the process which lead to selecting these figures.
> > Apparently, just like many other things in the project: the folks
> > doing the work (and appointed for this by the project through the DPL)
> > examine the situation, make plans and decisions and
> > then announce them.
> I suppose that this was not the result of cargo cult engineering, so if
> these new recommended key values have been selected as the result of a
> process I am curious to know the rationale which lead to the choice.
> It really looks like a simple question to me.
> 
> I am just asking for a rationale. I would like to know if the new
> recommended key values have been selected as the result of a process,
> and what the rationale is, or if this is cargo cult engineering.
> 
> > I somehow understand you might be unhappy about this way to do
> > things. Is this interpretation from my side?
> Assumingly this is the result of an informed choice, then I have no
> objections at all.

I notice Perry E. Metzger's reply already address most of what I will
write here, but I had already composed most of the reply before I got
his, and I wrote a bit more about some of the details than he did.

As Perry said, the responses on the crypto ML are favorable on the bias
towards RSA.  Reasons given were compatibility outside of the gnupg
world, and decription speed.  There was one about code maturity, but I
am not sure I understood it correctly.

As for the large keysize, it is seen as too large.  It was recommended
that Debian should try to do something that would help reduce the
overall threat to the Debian PKI instead of promoting very large key
sizes *in order to acommodate for very large key lifetimes*.

The recommendation for that one was: smartcards, use main key as a KSK
only, and don't let it leave the smartcard.  subkeys have several
advantages, they can be smaller than the main key, and they can be
replaced without web of trust issues (so you could replace them often,
and give them a validity of only 1-2 years).

One would use the smartcard only to generate new subkeys and UIDs, and
to sign other keys (otherwise, you'd need to re-sign already-signed UIDs
when the subkey is about to expire. I didn't check if gnupg lets you use
subkeys to sign UIDs on other keys).

Message encription and signature are done using the subkeys, only.
Subkeys are much easier to replace, can be smaller (i.e. faster to use)
than the main key, can be of a different type (e.g. El-Gammal) than the
main key, and replacing them won't interfere with the web of trust.

I just wondering where I am supposed to find a good smartcard that can
take 2048R (or larger) keys, works well with gnupg, and for how much :)

The usual question (what is the threat model for DD keys) was obviously
asked, and as usual the first threat that comes to mind is not key
cracking or colision attacks by a well-funded attacker.  It is not
technological advancement (for which the best defense is to be able to
upgrade keys often and making sure such key rollovers can be done
safely).  It is a compromised key, which is much cheaper and easier to
accomplish, and could be done by a lucky script kiddie.

IMHO there are NO reasons to believe we can take secure (which *are*
cubersome) key handling practices by every DD for granted, either.

BTW: Nobody was able to convice me that 4096R is a bad choice,
especially when coupled to 2048R subkeys.  Only that it is pointless to
use 4096R instead of 2048R for the overall Debian PKI security
standpoint.  But pointless does not mean harmful.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


Reply to: