some beginner questions

[Will Senn]

On 4/3/17 1:25 AM, Doug Barton wrote:
>
> > but
> > I'm not having much luck signing with subkeys, so I'm not convinced this
> > is worth the headache and increased complexity of key management.
>
> It's not really that hard to do, what kind of problems are you having?
> The instructions at https://wiki.debian.org/Subkeys are better, as is
> the explanation. It would also be helpful to know what version of GnuPG
> you're using.
>
> I followed the instructions there and was able to successfully load the
> exported key into roundcube (which I'm sending this message from to
> verify that it works for others besides me) and K-9 Mail for Android
> (through OpenKeychain).  I also tried moving my gnupg directory aside
> and importing the exported signing-only subkey with the expected
> results.
>
> However, that still doesn't address the "issues" with this approach. It
> only works for signing, if you want to be able to decrypt messages sent
> to you on your devices then you need to keep a copy of your encryption
> subkey on them as well. Personally, I would argue that is a much bigger
> risk in terms of compromise, as people being able to send messages
> signed by my key would be an annoyance, sure. But people being able to
> decrypt things that I wanted to keep secret could be potentially
> devastating.
>
> That said, as long as you have a suitable passphrase your risk of key
> compromise is really, really minimal, even if they did get total control
> over your device. Barring coercion, the chances of someone guessing your
> passphrase is near zero. And currently that's the only way to gain
> access to a secret key, even if you have it in your possession.
>
> But let's say that the worst happens, and your device is compromised by
> the bad folks, and they gain control of your key as well. Let's even use
> a signing-only subkey for this scenario. Now, your attackers have access
> to your full list of contacts, and your e-mail (so that they can get a
> solid idea of how you write). Then they send the following message to
> everyone in your contact list (assume for the sake of argument that the
> following is written in something close enough to your personal style to
> pass with your friends and family, etc.):
>
> Woah, dude, major bummer! My phone got stolen! Totally bogus! Not only
> that, but my PGP key was on it, and now they have that too! Sucks, man!
> So here is my new key fingerprint. Please download it ASAP, revoke your
> signatures on my old key, and mark it as bogus! And definitely, if you
> get another message from me signed by this key, DON'T TRUST IT! That'll
> be the hackers, man!
>
> Of course, the new key that they send the fingerprint for will be one
> that they have created, with all the same UID information, etc. Now this
> won't fool everyone of course, there will be some of your correspondents
> who will want to verify with you, some who won't act because they don't
> know what you're talking about, etc. But the usual stated goal of using
> a separate signing-only key is to protect the reputation of your
> certification key, and to avoid having to create a whole new key in
> response to a compromise. My argument is that in the unlikely event that
> the bad folks get control of your secret key (of any flavor) there is
> more than enough damage that they can do with it, even if they don't get
> your certification key.
>
> Now beyond THAT, you stated that your goal is to be able to ENCRYPT your
> communications on your devices, and presumably that means to decrypt as
> well. You can ENcrypt using just the recipient's public key of course.
> But you can't DEcrypt unless you have your own encryption subkey on the
> device. See above for why that's a much more significant risk (IMO). In
> light of that requirement, a sign-only subkey doesn't get you much, and
> given that with a good passphrase it's essentially impossible for them
> to compromise your key, even if they do get it, you're adding complexity
> for little, if any, benefit.
>
> I could go on, but I'll let you respond first in case I've already said
> enough. :)
>
Actually, I appreciate all of the detail. I will start off with a simple
keypair that I am careful with. Based on my current understanding, if my
passphrase is known only to me, is sufficiently long and unique, if I
keep my secret key reasonably secure, and keep it local to my own
devices, I should be reasonably safe from exploit against all but the
most determined folks.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170403/826325be/attachment-0001.sig>