On Thu, 2017-12-14 at 15:50 -0500, Kent Borg wrote: > Question: Is it okay for Alice and Bob to communicate with each > other > using a single shared public/private elliptic key pair? > Experimentally > it seems to work, but does it introduce any security holes? (Beyond > the > obvious that keys can't be individually deployed and revoked when > they > are not individually issued.) > > Motivation: Alice and Bob are in the same household, they trust each > other. They are, um, liberal, Charlie might be joining, too, they > will > trust him, too. When he does join they would rather not do a bunch > of > two-way key distribution. Also, there might be more than one instance > of > Alice (and of Bob and Charlie), and the Alices (and Bobs and > Charlies) > want to be able to talk to among themselves. They are willing to > rekey > the entire household if need be. And if later they need more > resolution > of who trusts whom they can start issuing some unique keys then. But > in > the meantime, does sharing keys open up any vulnerabilities? > > Thanks, > > -kb
Premise: I am not a security expert. Using the same key pair for both endpoints should be the equivalent of using a pre-shared key, so per-se it shouldn't have any consequences. Apart from the obvious ones with deployment, double exposure of the private key (one machine gets compromised == all machines are compromised) and so on, which you already identified. -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part
_______________________________________________ zeromq-dev mailing list [email protected] https://lists.zeromq.org/mailman/listinfo/zeromq-dev
