On Tue, 24 Jul 2012 14:24:08 -0700 Jonathan McDowell noodles@earth.li allegedly wrote:
What happens if the old key is compromised briefly? Eg it's a smartcard that's left inserted into a machine long enough to do the signature of a new key and a transition statement, but then removed and not available to the attacker any more?
I think that this is an extremely improbable scenario. For this to occur, you have to posit the attacker preparing a new key and transition statement in advance and holding those ready for the one moment that the key owner "forgets" that he/she has left the token inserted. That level of preparedness in anticipation of a possibly rare event seems to me unlikely unless the target is both hugely valuable to the attacker, and the attacker has very significant resources (particularly in time and personnel).
Personally, even I am not that paranoid.
Or even if the old key is completely compromised and the owner realises it and issues a revocation certificate but by that point the new key has been well signed and the owner has no way of convincing people to remove their sigs from that key (he's said not to trust the old key...).
Now that /is/ much more likely and a worrying scenario. But there are a couple of ways around this. Firstly, the transition statement should not seek signatures. Signatures for the new key should be obtained off-line in a secure manner. Secondly, if some reason, signatures for the new key must be obtained in a sub-optimal manner, then the transition statement should say something like: "Signers of my old key are invited to sign the new key once they have satisfied themselves that I am indeed the owner of this new key. Please note, that using either old or new key to verify my identity may be insufficient evidence if the old keys have been compromised."
But what does this really solve? If we are saying that we should not trust the new key, because the old key may be compromised, by the same logic we should not trust the old key at all. It may well have been compromised and no new key or transition statement issued.
Or am I missing something?
Mick
--------------------------------------------------------------------- blog: baldric.net fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
Note that I have recently upgraded my GPG key see: http://baldric.net/2012/07/20/gpg-key-upgrade/ ---------------------------------------------------------------------