Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Artifact ID: | ba1ff1982ac9eda4085114d2357b393055c6cda2 |
---|---|
Page Name: | keyrevokation |
Date: | 2014-04-27 19:31:03 |
Original User: | bernd |
Parent: | a96d4d87c4bffbcfab15965b1772b9ad30c33f24 (diff) |
Next | f1886a2353b2551aaa3d5cc9ec7bd7cdd15b9d29 |
Key Revocation
Key revocation usually is done with a signature of the lost key, i.e. both
the owner and the adversary can revoke a compromised key. However, the
important function in case of a revocation is declaring the successor key,
which reestablishs trust. To do that, you must actually proof that you are the
legitimate owner of the exposed secret key, so how do you do that? After
all, the adversary has stolen it!
Therefore, the requirements are as follows:
- Only the creator of the secret key can revoke it
- A thief of the secret key can't (i.e. further information is necessary)
- Revocation must present a trustworthy replacement key
- Third parties must trust both the revocation and the replacement key without another trustworthy instance, i.e. trusting only their communication partner
I keep s2 as offline copy (it's just 64 hex digits), and s as protected online copy in my device; s is subject to attacks and backdoors, and therefore at risk. To revoke a key, I publish p2, which the recipient can validate by p1*(p2)==p.
To sign a new key, I use s2 as signature key, i.e. the recipient can use the just published p2 to verify the transition to the replacement key. Of course, the new key also has a signature with s, the old key. The format of the revocation attribute is actually <new pubkeys: pnew, p1new><p2, sig using s2><sig using s>. Both signatures must have the same signing date, and a never expiration date (a revocation doesn't expire).