On 02/21/2017 02:21 PM, Peter Lebbing wrote: > Revoking the old A key and creating a new one needs to happen on the > system you have the primary key on, so you need to subsequently roll out
Who said anything about creating a new one in this part of the process? each device has separate A subkeys already, you lost your device, you revoke the A subkey for it (this step is actually the most tricky, as revocation certificates can't be generated for subkeys - so you need to have pre-generated versions of pubkey with it revoked created carefully manually beforehand). > the new A key to the compromised device. Obviously I assume the primary > key was not available on the compromised device, because then the whole obviously > certificate would have to be revoked. I don't see much extra effort in > rolling it out to the few other systems you use as a client as well. not following, you don't have access to the primary key at this point (say you're travelling and the primary is on smartcard in a vault) > > Also, I think you need to have a way to notify servers that they need to > get an updated certificate including the revoked old key *right* *now*. > We're talking about a compromised A key! The attacker has full access to > your login account for the time that the servers haven't checked for a Whether need for "right now" depends on severity, the compromise is in most cases a lost device, not an active attacker, so a 20-30 min timeframe is likely sufficient in most cases anyways e.g from a regular crontab run of monkeysphere, this also should fit with most key propagation across network as using a single keyserver can create a SPOF and DoS the update > new key yet! Regular intervals just won't do. This looks to be the > painful step in the process. ... it depends... -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- Qui audet vincit Who dares wins
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users