-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2017-04-02 16:18, Will Senn wrote: > On 4/2/17 1:20 PM, Doug Barton wrote: >> Some answers below, and you've already received some good answers, but >> I have some more fundamental questions. :) >> >> First, and an important question for security-related stuff generally, >> what is your threat model? In other words, what dangers are you >> guarding against by using PGP? You mention evangelizing your key, and >> asking how to get more people to use PGP with you. Those are >> reasonable questions, but the first is the most important. >> > Doug, interesting term "threat model". I've seen it a few times and > wasn't sure what it meant. Thanks for the simplified explanation. It's a > piece of technical jargon that is part of the difficulty I saw with > learning the OpenPGP terrain. While security folks probably dig the > lingo, for the lay person, it's, well, interesting... I perceive my > threat model as being 1) a risk that someone other than my intended > recipient will gain access to information that I am sending to my > intended recipient
Ok, for that scenario you probably don't want PGP. You probably want an application like Signal. When PGP was invented there was nothing else like it available. Nowadays that's not true. If you are interested strictly in one-to-one communication, or one-to-many, Signal is a better choice in the sense that it's much easier to use, much harder to get wrong, and easier to get friends to opt into. > 2) a risk that someone other than me will gain > access to information that I want only to be accessible to me. For that you DO want PGP, and a key can be useful, but is not necessary. Symmetric encryption will work just as well for this use case, and is simpler. > I envision the solution, based on my understanding of available > (affordable) technologies as being 1) secure method of transmitting > information asynchronously over public media and 2) a method of > encrypting information on local storage media. Yep, that's about right. > As you can see above, my threat model is neither comprehensive, nor is > it fully informed. But, it's pretty much the same story for a lot of > folks. I have learned over the past several weeks, that key management > is potentially a vulnerable point... I kind of suspected this, but after > hanging out in irc for a bit and tor, I'm kinda freaked out that it's a > more widespread problem than most folks realize - trojans are everywhere > :). Yes. Key management takes dedication, and knowledge. It's easy to get wrong, and not easy to get right. Using a purpose-built app like Signal avoids that problem. >> On 04/01/2017 07:10 AM, Will Senn wrote: >> >>> 3. I've read >>> https://superuser.com/questions/466396/how-to-manage-gpg-keys-across-multiple-systems >>> >>> and other such pieces proclaiming the value of having the master key in >>> a safe place and having subkeys on your actual devices. >> >> What do you think a master key is, and why do you think it's important >> to protect it? What kind of devices do you want to put signing subkeys >> on? Why do you think that your use of PGP will be more secure if you >> have a signing subkey on a device, instead of your "main key?" >> > Neal pretty much spelled out a reasonable answer to these questions, He didn't, actually. He parroted some text about them, which is more or less correct. Also, you didn't answer my questions. :) But I'll play along for fun ... > but > I'm not having much luck signing with subkeys, so I'm not convinced this > is worth the headache and increased complexity of key management. It's not really that hard to do, what kind of problems are you having? The instructions at https://wiki.debian.org/Subkeys are better, as is the explanation. It would also be helpful to know what version of GnuPG you're using. I followed the instructions there and was able to successfully load the exported key into roundcube (which I'm sending this message from to verify that it works for others besides me) and K-9 Mail for Android (through OpenKeychain). I also tried moving my gnupg directory aside and importing the exported signing-only subkey with the expected results. However, that still doesn't address the "issues" with this approach. It only works for signing, if you want to be able to decrypt messages sent to you on your devices then you need to keep a copy of your encryption subkey on them as well. Personally, I would argue that is a much bigger risk in terms of compromise, as people being able to send messages signed by my key would be an annoyance, sure. But people being able to decrypt things that I wanted to keep secret could be potentially devastating. That said, as long as you have a suitable passphrase your risk of key compromise is really, really minimal, even if they did get total control over your device. Barring coercion, the chances of someone guessing your passphrase is near zero. And currently that's the only way to gain access to a secret key, even if you have it in your possession. But let's say that the worst happens, and your device is compromised by the bad folks, and they gain control of your key as well. Let's even use a signing-only subkey for this scenario. Now, your attackers have access to your full list of contacts, and your e-mail (so that they can get a solid idea of how you write). Then they send the following message to everyone in your contact list (assume for the sake of argument that the following is written in something close enough to your personal style to pass with your friends and family, etc.): Woah, dude, major bummer! My phone got stolen! Totally bogus! Not only that, but my PGP key was on it, and now they have that too! Sucks, man! So here is my new key fingerprint. Please download it ASAP, revoke your signatures on my old key, and mark it as bogus! And definitely, if you get another message from me signed by this key, DON'T TRUST IT! That'll be the hackers, man! Of course, the new key that they send the fingerprint for will be one that they have created, with all the same UID information, etc. Now this won't fool everyone of course, there will be some of your correspondents who will want to verify with you, some who won't act because they don't know what you're talking about, etc. But the usual stated goal of using a separate signing-only key is to protect the reputation of your certification key, and to avoid having to create a whole new key in response to a compromise. My argument is that in the unlikely event that the bad folks get control of your secret key (of any flavor) there is more than enough damage that they can do with it, even if they don't get your certification key. Now beyond THAT, you stated that your goal is to be able to ENCRYPT your communications on your devices, and presumably that means to decrypt as well. You can ENcrypt using just the recipient's public key of course. But you can't DEcrypt unless you have your own encryption subkey on the device. See above for why that's a much more significant risk (IMO). In light of that requirement, a sign-only subkey doesn't get you much, and given that with a good passphrase it's essentially impossible for them to compromise your key, even if they do get it, you're adding complexity for little, if any, benefit. I could go on, but I'll let you respond first in case I've already said enough. :) hope this helps, Doug -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJY4erMAAoJEBkT4LHp40of9CYH/1/p+3yZsH59ZJ6QvoNLrPLl R/Xl29d+2zXjBM+EyBaYg+Gp2Hst3Wa46jBr3U0zkHYxXvZon/dRSr1VOP//xCk3 ke4E/FeUd9SSC//c380QQPpw5hKBjyg7UX7fP44wl8NgEEalaeY+R44ii4c0h6Kz eYo4R7RS3piy6J79p4BdQihld/ZggT7JGZ2Z3+pk6X8MZ3pRSQ9ZKbYvHI8IgX8B pGEYpKQqHb/QOzhLZkqGlhtN0ozSuGySH4aO7giH3b/s8cl3jSSnJqSiTV2lIViy BrZ5YoI3ADVZr9mXXH3R+Ukzkp6gtcXExDnE1BSSSA4L74x2TxIZyJtoShU6ElI= =mXI9 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
