[119113] in Cypherpunks
deploying forward secrecy (Re: Worthless Disappearing)
daemon@ATHENA.MIT.EDU (Adam Back)
Fri Oct 15 08:49:05 1999
Date: Fri, 15 Oct 1999 12:54:41 +0100
Message-Id: <199910151154.MAA03302@server.cypherspace.org>
To: amp@pobox.com
From: Adam Back <adam@cypherspace.org>
CC: cypherpunks@cyberpass.net
In-reply-to: <380694E3.AE5AF861@pobox.com> (message from AMP on Thu, 14 Oct
1999 21:43:47 -0500)
Reply-To: Adam Back <adam@cypherspace.org>
Amp writes:
> Why even bother to buy into a service that has this feature when you
> can't be =sure= that the keys are =really= deleted. The paranoid might
> say that this could easily be a front for TLA of USGOV to sucker people
> into a false sense of security.
>
> Why not just implement the same thing oneself?
Something like the scheme you proposed with short lived public keys
was suggested for inclusion in PGP. At the time PRZ was arguing it
was too difficult to get right, that there would be lost mail as a
result.
More lately I notice that PGP 6.5 or whatever the lastest is creating
public keys with two subkeys one which takes over after the other
expires. People seem to be using this with 1 year or so of
consequtive validity on each key. Not that immediately forward
secret, but slowly forward secret if you wipe the old private key.
There is an argument against pre-publishing keys for future use, the
argument that someone might compromise the corresponding private keys.
The argument is the longer the private keys exist on your hard disk,
the more opportunity there is for their compromise before they are
used.
The alternatives are more online protocols.
However I think this argument is relatively weak from a practical
point of view. If someone has compromised your current private key,
and you generate fresh ones each week to upload to the key server,
well the attacker will just replace your application binary too, and
backdoor the key gen process or just attack the signature key: the new
keys will be signed with the signature key, if the attacker gets a
copy of the signature key he can do a MITM attack.
There are advantages to being able to have relatively offline key
exchange. Online activity is an exposure point for anonymous users.
Adam