The worst outcome possible for a scheme is making the user stick with a key that has a suspicion of compromise because the cost of rotating would be too high. Cattle in infrastructure, those concepts would apply just as well to keys! If I suspect I'm compromised I want to be able to toss the laptop and rebootstrap with minimum overhead. It actually encourages expanding the attack surface by making backups of the key. Worse, long term keys patterns like collecting signatures and printing fingerprints on business cards discourage practices that would otherwise be obvious hygiene: rotating keys often, having different keys for different devices, compartmentalization. USB devices would get plugged in.Ī long term key is as secure as the minimum common denominator of your security practices over its lifetime. Offline keys would sit in a far away drawer or safe. Yubikeys would get exposed to hotel rooms. The more time passed, the more I would feel uneasy about any specific key. I never felt confident in the security of my long term keys. "Or on the laptop, I left the keys I never use on the other machine".īut the real issues I realized are more subtle. Competent, enthusiast, embedded in a similar community.įirst, there's the adoption issue others talked about extensively. I filed usability and security issues in GnuPG and its various distributions.Īll in all, I should be the perfect user for PGP. I devised complex silly systems to make device subkeys tie to both my personal and company master keys. In 2013 I was dissecting the packet format to bruteforce short IDs. I have the arrogance of saying that I understand PGP. I went to key signing parties in multiple continents. I have a signature from the most connected key in the set. I travelled 2 hours by train to meet the closest Biglumber user in Italy to get my first signature in the strong set. I spent days designing my public PGP policy. I wrote custom tools to make handwritten paper backups of offline keys (which I'll publish sooner or later). I had offline master keys on a dedicated Raspberry Pi with short-lived subkeys. If you got a link to this in response to an encrypted email or to a request for a public key, you might want to skip to the "Moving forward" section. It's about the long term PGP key model-be it secured by Web of Trust, fingerprints or Trust on First Use-and how it failed me. This is not about the gpg tool itself, or about tools at all. At least on the concept of long term PGP keys. After years of wrestling GnuPG with varying levels of enthusiasm, I came to the conclusion that it's just not worth it, and I'm giving up.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |