Encryption keys in the OpenPGP spec

David Shaw dshaw at jabberwocky.com
Mon Jul 27 17:35:38 CEST 2009 

On Jul 27, 2009, at 11:15 AM, James P. Howard, II wrote:

> On Sun Jul 26 2009 23:09:18 GMT-0400 (EST) , David Shaw
> <dshaw at jabberwocky.com> wrote:
>
>> Because it is difficult (or nearly impossible) to determine the
>> difference from the perspective of GnuPG.  That is, I as a person
>> know what I'm encrypting and what I plan on doing with it, but GnuPG
>> just sees bits.  As a general-purpose OpenPGP tool, GnuPG pretty much
>> needs to treat both communications and storage as the same thing.
>> Other tools for more specific environments may "know" what their
>> usage is and can treat this differently.
>>
>> This is expected behavior - the OpenPGP standard even mentions it:
>>
>> Note however, that it is a thorny issue to determine what is
>> "communications" and what is "storage".  This decision is left wholly
>> up to the implementation; the authors of this document do not claim
>> any special wisdom on the issue and realize that accepted opinion may
>> change.
>
> I noticed this, too.  But since I also do not claim any special wisdom
> on the issue, I was hoping someone would.  Since we all seem to agree
> that communication and storage is difficult to distinguish, can  
> someone
> suggest why different keys may be desired in different circumstances?

As one of the authors of the document, I have already disclaimed any  
special wisdom ;)

A contrived example: say you are in an environment where you do both  
email (communications) and archiving data (storage).  You make a new  
email (i.e. communications) subkey every year or so because you take  
that key with you and want to make sure any exposure is limited.  You  
only make a new archiving (i.e. storage) subkey every 10 years because  
of the inconvenience.  Given those two use cases, you'd want the  
ability to differentiate.

A better answer is that the ability is there in the standard as a tool  
in the toolbox.  Whether the need to differentiate comes for legal  
reasons (long-term storage needing a particular key type or size as  
per regulation), or for convenience (as in my example), or for some  
other reason altogether doesn't matter.  The ability is in the  
standard in case someone wants to make use of it.

David

More information about the Gnupg-users mailing list