On Fri, Jul 20, 2012 at 12:33:54PM +0100, Richard Parsons wrote:
On Wed, Jul 18, 2012 at 10:23:08AM -0700, Jonathan McDowell wrote:
If the attacker doesn't actually have the old key but was able to get it to sign the new key + transition statement then even worse the attacker can now read something they otherwise couldn't.
I think this is the crux of it. How could the above happen? If the attacked has signed the transition statement with the old key, hasn't he already compromised the old key? This is a sincere question, I'm open to be convinced.
If its possible to forge the signed transition statement, without compromising the old key, then there is merit to trusting the old key and not the new one. On the other hand, if you reach the conclusion that the only way to sign the transition statement is to compromise the old key, then you may as well trust the new key -- there is no significant risk of the new key being compromised although the old one is not.
What happens if the old key is compromised briefly? Eg it's a smartcard that's left inserted into a machine long enough to do the signature of a new key and a transition statement, but then removed and not available to the attacker any more?
Or even if the old key is completely compromised and the owner realises it and issues a revocation certificate but by that point the new key has been well signed and the owner has no way of convincing people to remove their sigs from that key (he's said not to trust the old key...).
J.