[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Possible solution to "delete" keys
|
From: |
Kristian Fiskerstrand |
|
Subject: |
Re: [Sks-devel] Possible solution to "delete" keys |
|
Date: |
Tue, 29 Oct 2013 23:10:11 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 10/29/2013 10:59 PM, dirk astrath wrote:
> Hello again ;-)
>
> I understand the issue, that keys shouldn't be deleted from the
> database. They should be revoked only and kept in the database.
>
...
>
> I suggest to "sign" the "to-be-deleted"-key with a special
> signature, which causes the personal data of this key not to be
> displayed.
>
Some off-the-top-of-my-head issues with this approach;
(i) Who would determine who should have such delete capabilities? Is
there any reason for key server operators to have any more "power"
than anyone else?
(ii) If someone is determined as such a "key deleter"; is there legal
culpability possibilities for keys not having been deleted
(iii) SKS doesn't implement crypto, doing so on a keyserver will
massively increase the resource requirements
(iv) the data is still in the keystore and will have to be
synchronized, anyone mallicious will be able to get the keydump
directly and extract the data.
> In this case we have 4 possible answers for a key if searching for
> the Key-ID:
>
...
> ... and new:
>
> (4) Key is deleted: Show key-id only and red marker "revoked"
>
(i) This can be used as an attack vector to upload a forged key and
delete the old one. (ii) Simply displaying revoked doesn't mean
anything for OpenPGP implementations
> To go a step deeper:
>
> Many users created a test/demo-key a long time ago and
> forgot/deleted/... the private key or private-key-passphrase.
> Since it's impossible to delete (or even revoke) the old keys,
> these keys may still be used to encrypt mails to the user (which
> may never be able to decrypt it). If the personal data from these
> old keys can be hidden (=not displayed to the user or
> PGP/GnuPG-software) only the active and revoked keys will be used.
>
> (Every now and then i get the question from users: "which key
> should i use to send a mail to you ... if I'm unsure, i use
> unencrypted mail").
>
...
>
> We have to decide the details of the procedure to mark a key as
> deleted in the database like "two or three sks-operators have to
> be sure", "email-verification", "can be deleted only, if an
> encrypted mail has been sent" etc. ...
>
A key isn't less valid even if a domain name expire and a new user
takes control of that domain.
- --
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Bene diagnoscitur, bene curatur
Something that is well diagnosed can be cured well
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.0-beta255 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJScDJDAAoJEAt/i2Dj7frjai8P/AgCQ35LCF4IjXPd7U8wt9nM
WHgR6njcSuLrSwUJDogCfvFA77/qoX+RbOH8EF0kYcCyEBUsee6XBSxKITiKrG9y
PG8uo3n/Xq1GHij6SA2pFzxiv2LMoWBZw5lC5mUxBkcrZ/Hn5jDtlPb4B213QNKu
SbuZ6eqoweKL40LG9h8nWvQAtzAhfKAMH2y2huUO5M8kPl1zTvf3DMupEqhkJm9r
8NqdMkrVcy1oiYRHxWVFLovi/sNZWf90k2522599cffZ5lfJiegIA1CxxVmSNOGo
aDFVBuRmyJiLnnxEQcAFvwk/K3Ivq0Scb/GUSk4IPl+N3bGozYIfamFnUhM2nlMJ
uBmhJprhwbiCNtKyJlHOuv98f4ZoxAz5D2f4pKt0lkYGufbvqQjYQHXLJ3UQghHq
++Q4snqsOJd6jBdYQhYrokrJzaVkkxpkYYuAfbBKNWXgA2ke4uGeMYW0c13qwECi
ip00IlyvPS74ZiNTsforBgUzCsNQ97Oi/MpvY0QedpaFIMZ0fBVLoOpc/q0VsID0
ti2vqbl/L3l+TPDvmBZ5U1CUXROIsne5kspCUcJULAzjRmPM4oo0e1vKMvzaxAWC
tIRkjb6y8uaSRf6sf9/IMYAHCKgbGkEDfO3SDtVkA1K0PQ7MAsxhgjhmyLbYBP6R
YUm1n1e+XcBbII7ESGi1
=orx/
-----END PGP SIGNATURE-----