key management & APG
Hauke Laging
mailinglisten at hauke-laging.de
Sun Aug 4 17:21:58 CEST 2013
Am So 04.08.2013, 10:00:49 schrieb Philipp Klaus Krause:
> > Then the sender can decide how confidential the information is (or how
> > reliable the signature must be).
>
> You mean creating two separate keys for the same email address? And sign
> each with the other?
You may sign them with each other.
> Anyone else will have to sign both of my keys for this address?
If you sign them with each other and both signing keys are high security (the
one as a whole and the offline mainkey of the other) then everyone would have
to sign one only. In general it would be enough to sign the highest security
key of a person but this may break the web of trust because that unfirtunately
does not make a difference between your own keys and those of others.
> How would I document the security levels?
For the future I suggest a five step scale:
1: test key (publicly available) or used on untrusted systems
2: key available to trusted other systems (e.g. webmail) or smartphones
3: normal PC (email, web surfing)
4: hardened normal PC (noone else is using it; technical protections)
5: secure environment (e.g. verified Linux live DVD)
I guess anything above that can hardly be standardized (and need not).
> Use the comment field?
When I create keys for Germans I create a UID without email but with this
comment:
"Alltagsschlüssel mit sicherem Offline-Hauptschlüssel und policy URL"
This is:
"Everyday key with secure offline mainkey and policy URL"
The safe way is to have a key policy (not just a certification policy!) which
is signed by a secure offline mainkey. But, of course, you must know for sure
that another one's key has a secure offline mainkey. You easily realize that
the current WoT is useless.
http://www.openpgp-notations.org/
> Will
> current software make the choice easy for the people sending mail to me,
No but if more people start using crypto then the demand for usable solutions
will arise quickly and result in the tools getting this ability. This could be
done by signature notations (for both self-signatures and certifications by
others).
Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
XMPP (Chat mit OTR): hauke.laging at googlemail.com
XMPP (Chat mit OTR): hauke.laging at jabber.ccc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130804/cf826167/attachment.sig>
More information about the Gnupg-users
mailing list