On 4/3/17 1:25 AM, Doug Barton wrote: > > > but > > I'm not having much luck signing with subkeys, so I'm not convinced this > > is worth the headache and increased complexity of key management. > > It's not really that hard to do, what kind of problems are you having? > The instructions at https://wiki.debian.org/Subkeys are better, as is > the explanation. It would also be helpful to know what version of GnuPG > you're using. > > I followed the instructions there and was able to successfully load the > exported key into roundcube (which I'm sending this message from to > verify that it works for others besides me) and K-9 Mail for Android > (through OpenKeychain). I also tried moving my gnupg directory aside > and importing the exported signing-only subkey with the expected > results. > > However, that still doesn't address the "issues" with this approach. It > only works for signing, if you want to be able to decrypt messages sent > to you on your devices then you need to keep a copy of your encryption > subkey on them as well. Personally, I would argue that is a much bigger > risk in terms of compromise, as people being able to send messages > signed by my key would be an annoyance, sure. But people being able to > decrypt things that I wanted to keep secret could be potentially > devastating. > > That said, as long as you have a suitable passphrase your risk of key > compromise is really, really minimal, even if they did get total control > over your device. Barring coercion, the chances of someone guessing your > passphrase is near zero. And currently that's the only way to gain > access to a secret key, even if you have it in your possession. > > But let's say that the worst happens, and your device is compromised by > the bad folks, and they gain control of your key as well. Let's even use > a signing-only subkey for this scenario. Now, your attackers have access > to your full list of contacts, and your e-mail (so that they can get a > solid idea of how you write). Then they send the following message to > everyone in your contact list (assume for the sake of argument that the > following is written in something close enough to your personal style to > pass with your friends and family, etc.): > > Woah, dude, major bummer! My phone got stolen! Totally bogus! Not only > that, but my PGP key was on it, and now they have that too! Sucks, man! > So here is my new key fingerprint. Please download it ASAP, revoke your > signatures on my old key, and mark it as bogus! And definitely, if you > get another message from me signed by this key, DON'T TRUST IT! That'll > be the hackers, man! > > Of course, the new key that they send the fingerprint for will be one > that they have created, with all the same UID information, etc. Now this > won't fool everyone of course, there will be some of your correspondents > who will want to verify with you, some who won't act because they don't > know what you're talking about, etc. But the usual stated goal of using > a separate signing-only key is to protect the reputation of your > certification key, and to avoid having to create a whole new key in > response to a compromise. My argument is that in the unlikely event that > the bad folks get control of your secret key (of any flavor) there is > more than enough damage that they can do with it, even if they don't get > your certification key. > > Now beyond THAT, you stated that your goal is to be able to ENCRYPT your > communications on your devices, and presumably that means to decrypt as > well. You can ENcrypt using just the recipient's public key of course. > But you can't DEcrypt unless you have your own encryption subkey on the > device. See above for why that's a much more significant risk (IMO). In > light of that requirement, a sign-only subkey doesn't get you much, and > given that with a good passphrase it's essentially impossible for them > to compromise your key, even if they do get it, you're adding complexity > for little, if any, benefit. > > I could go on, but I'll let you respond first in case I've already said > enough. :) > Actually, I appreciate all of the detail. I will start off with a simple keypair that I am careful with. Based on my current understanding, if my passphrase is known only to me, is sufficiently long and unique, if I keep my secret key reasonably secure, and keep it local to my own devices, I should be reasonably safe from exploit against all but the most determined folks.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
