[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Forward secrecy
Thanks for the comments :)
We did include mechanisms for specifying the one-time pad to be used to
decrypt a given message:
4.2 One-time pad reference
- A four-octet date when the referenced one-time pad was created.
- A four-octet offset specifying the first octet in the referenced
pad that should be used as key.
ie the creation time was meant to be a pseudo-ID.
But I am quite happy to take out the OTP section if that's what people
want: if anyone later feels they need it, they would be welcome to
cannabalise our text as the starting point for a new RFC. What are other
> One is what has recently been discussed on the ukcrypto list, which is
> to provide a mechanism in the client to surrender selected session keys
> rather than public keys, under court order. This provides a minimal
> way of complying with the new UK laws.
I have added the following paragraph to the "Key Surrender" section:
"The least compromising key required MUST be the one surrendered. The
session key used to encrypt an individual message will often be sufficient.
Otherwise, a subkey should be surrendered before a long-term top-level key.
Signature keys should not be surrendered unless absolutely necessary."
> Another idea, which would be much harder to specify clearly, was
> something that PRZ proposed to me way back in 1992. Similar to the
> one-use decryption keys, he proposed that communicating parties cache a
> session key to be used over a series of messages, updating it for each
> message transfer. You could get forward secrecy by doing something like
> new_key = hash(old_key), with appropriate precautions. This would be a
> lighter weight mechanism than the one-use decryption keys, but it would
> be more of a change to the OpenPGP standard.
This is nice, but does need a reasonable amount of work to specify. If
people feel this would be valuable, we could discuss it further.