On Mon, Dec 29, 2014 at 5:48 PM, Tony Arcieri <[email protected]> wrote: > > I kind of like the previously described idea of having a user register many > public keys in a directory, one for each device they currently have > enrolled, signed by a master key
I wrote an analysis of this, see cases 3 vs 4. https://moderncrypto.org/mail-archive/messaging/2014/001022.html In brief: cloning the private key is simpler and more efficient than signature chains, avoiding the master / subordinate device distinction seems like a better UX, and I don't think mitigating device compromise via signature expiration or signed revocation statements has much value here, since time sync and delivering revocation data are unreliable. > the important point here is that we're able to move a cryptographic > key from device-to-device without any devices but the two involved in the > exchange ever seeing the raw unencrypted keying material. Yes. > Typically this sort of "cloning" is actively avoided by modern crypto > hardware devices though. HSMs can generally export and import wrapped keys. Some HSMs and smartcards can execute code in the secure environment, in which case you can do whatever you want. Trevor _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
