(oops, accidentally forgot copy to list, sorry for thread breaks) On 2016-01-21 11:29, Lachlan Gunn wrote: > Speaking of which, is there any solution around for session key > archiving?
Not that I'm aware of. > Key transition would be a bit more convenient if there > were some way to automatically maintain a log of (encrypted) session > keys for messages that youve seen, since you could then > mass-re-encrypt them when you change key. That's an interesting solution, I hadn't thought of that! But does it have better security properties than simply encrypting an on-disk copy of the old encryption subkey, encrypted to the new encryption subkey? That is a whole lot simpler. If somebody is able to decrypt the log of session keys, they can effectively decrypt everything encrypted to the old subkey. This is presuming the old encryption subkey is no longer used, so all data that was ever encrypted to the old subkey is in one of the logs (multiple, if the user has more than one computer). And if they can decrypt the on-disk copy of the old subkey, they can decrypt everything ever encrypted to the old subkey, and anything new that will be encrypted to the old subkey. But the latter is not going to happen. Without any rigorous thought having yet gone into it, it seems they have the same /effective/ properties. On the issue of usability: right now, an encrypted copy of an old subkey is a hassle to work with. But GnuPG could implement a feature that it automatically decrypts it using the current subkey, and then uses the old subkey to decrypt the data. In a generic form, this means that the private key storage, which currently only supports symmetric encryption in OpenPGP parlance, also supports public-key encryption. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
