Re: Forward secrecy

[Ian Brown <I.Brown@xxxxxxxxxxxx>]

Hal,

Thanks for the comments :)

We did include mechanisms for specifying the one-time pad to be used to
decrypt a given message:
--
4.2 One-time pad reference
...
     - A four-octet date when the referenced one-time pad was created.

     - A four-octet offset specifying the first octet in the referenced
       pad that should be used as key.
--
ie the creation time was meant to be a pseudo-ID.

But I am quite happy to take out the OTP section if that's what people
want: if anyone later feels they need it, they would be welcome to
cannabalise our text as the starting point for a new RFC. What are other
people's thoughts?

> One is what has recently been discussed on the ukcrypto list, which is
> to provide a mechanism in the client to surrender selected session keys
> rather than public keys, under court order.  This provides a minimal
> way of complying with the new UK laws.

I have added the following paragraph to the "Key Surrender" section:

"The least compromising key required MUST be the one surrendered. The
session key used to encrypt an individual message will often be sufficient.
Otherwise, a subkey should be surrendered before a long-term top-level key.
Signature keys should not be surrendered unless absolutely necessary."

> Another idea, which would be much harder to specify clearly, was
> something that PRZ proposed to me way back in 1992.  Similar to the
> one-use decryption keys, he proposed that communicating parties cache a
> session key to be used over a series of messages, updating it for each
> message transfer.  You could get forward secrecy by doing something like
> new_key = hash(old_key), with appropriate precautions.  This would be a
> lighter weight mechanism than the one-use decryption keys, but it would
> be more of a change to the OpenPGP standard.

This is nice, but does need a reasonable amount of work to specify. If
people feel this would be valuable, we could discuss it further.

Ian :)