Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
Different key pare for e-mail and signing code
johndoe65534 at mail
Jan 4, 2020, 12:53 AM
Post #1 of 4 (594 views)
Permalink
Hello all,

Following my thread at (1), unless I'm missing something, it became
apparent that Enigmail/Tunderbird does not fit the bill anymore.


My plan is to use something like the following:

-----------------------------
sec rsa4096 2020-01-03 [C] [expires: 2020-01-04]
3C5CFD620005347A62052A6B596CB80D30E8829D
uid [ultimate] Firstname Lastname <test@example.com>
ssb rsa4096 2020-01-03 [S] [expires: 2020-01-04]
ssb rsa4096 2020-01-03 [S] [expires: 2020-01-04]
ssb rsa4096 2020-01-03 [E] [expires: 2020-01-04]

With mabey more signing subkeys.


My goal is to sign code and sign/encrypt e-mail but I'm not sure what's
the best way forward:
- One key pare for e-mail (sign/encrypt) and an other key pare for
signing code
- Finding a way to do what I want with only one key pare (multiple
signing subkeys and one encryption subkey)
- Am I missing something/better approach

For now I'm considering notmuch/sup to get what I want, it looks like
Mutt uses 'ncurses' which is not an option for me.

Any input is welcome

1)
https://admin.hostpoint.ch/pipermail/enigmail-users_enigmail.net/2020-January/005562.html


P.S.

By key pare, I mean private/public key.

--
John Doe

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Different key pare for e-mail and signing code [ In reply to ]
rjh at sixdemonbag
Jan 4, 2020, 1:10 AM
Post #2 of 4 (594 views)
Permalink
> Following my thread at (1), unless I'm missing something, it became
> apparent that Enigmail/Tunderbird does not fit the bill anymore.

It should be noted that Enigmail hasn't changed how it does anything.

> My goal is to sign code and sign/encrypt e-mail but I'm not sure what's
> the best way forward:

We don't know, either. It's going to depend on your own personal risk
profile.

> - Am I missing something/better approach

If you want to segregate your code signing from your email, the best way
to do that is with a second certificate -- not adding subkeys to your
current one.

Ask yourself this: how often have you noticed that my signed messages
bear *two* signatures from *two* subkeys belonging to the same
certificate? I've been doing this for years and nobody's ever noticed.
(Or at least, nobody's ever mentioned it to me to ask why I'm doing
something so weird.)

So if you're depending on people ascribing special semantic value to
which subkey is used -- honestly, I doubt people will ever even notice
which subkey you're using. It's simply not a use case that comes up
very often, if ever.

Attached Files:

Re: Different key pare for e-mail and signing code [ In reply to ]
gnupg-users at gnupg
Jan 4, 2020, 2:54 AM
Post #3 of 4 (594 views)
Permalink
Hi John,

On 04.01.2020 09:53, john doe wrote:
> My goal is to sign code and sign/encrypt e-mail but I'm not sure what's
> the best way forward:
> - One key pare for e-mail (sign/encrypt) and an other key pare for
> signing code
> - Finding a way to do what I want with only one key pare (multiple
> signing subkeys and one encryption subkey)
> - Am I missing something/better approach

There is no single answer to this question. Some people use one keypair
for signing e-mails and software because it's simpler (especially if
people have or use Web of Trust to validate keys).

Apache, for example, recommends using separate keypair for code signing
with specific guidelines (such as having UID comment "CODE SIGNING KEY"
[0]). I guess this is due to the fact that one rarely signs code but
when they do it they use a different hardware token thus avoiding the
risk of misuse of their frequently used key (e-mail signing).

OpenPGP lacks extended key usage flags so if an object is signed, it's
not clear what was the intention of the signer and it's theoretically
possible to trick someone into signing an e-mail (via auto-reply or so)
that then could be misinterpreted as software [1].

Kind regards,
Wiktor

[0]: https://www.apache.org/dev/release-signing.html#key-comment

[1]: https://stackoverflow.com/q/35840196

--
https://metacode.biz/@wiktor

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Different key pare for e-mail and signing code [ In reply to ]
johndoe65534 at mail
Jan 5, 2020, 10:26 PM
Post #4 of 4 (593 views)
Permalink
On 1/4/2020 10:10 AM, Robert J. Hansen wrote:
>> Following my thread at (1), unless I'm missing something, it became
>> apparent that Enigmail/Tunderbird does not fit the bill anymore.
>
> It should be noted that Enigmail hasn't changed how it does anything.
>

No argument there, Patrick is doing an outstanding job with Enigmail.
I should have said that enigmail does not fit the bill for my needs
anymore, sorry about that.


>> My goal is to sign code and sign/encrypt e-mail but I'm not sure what's
>> the best way forward:
>
> We don't know, either. It's going to depend on your own personal risk
> profile.
>
>> - Am I missing something/better approach
>
> If you want to segregate your code signing from your email, the best way
> to do that is with a second certificate -- not adding subkeys to your
> current one.
>
> Ask yourself this: how often have you noticed that my signed messages
> bear *two* signatures from *two* subkeys belonging to the same
> certificate? I've been doing this for years and nobody's ever noticed.
> (Or at least, nobody's ever mentioned it to me to ask why I'm doing
> something so weird.)
>
> So if you're depending on people ascribing special semantic value to
> which subkey is used -- honestly, I doubt people will ever even notice
> which subkey you're using. It's simply not a use case that comes up
> very often, if ever.
>

From the answer in this thread, it looks like having two key pares (one
for signing and one for e-mailing) is somewhat more flexible but this
approach is more complicated for the web of trust.

I guess , I'll go with separate key pares.

Thanks Robert for your answer in all my threads! :)

I'd like to also thank (1) for his answer, and (2) for his answer in an
other thread (3).

1) Wiktor Kwapisiewicz <wiktor@metacode.biz>
2) Konstantin Ryabitsev <konstantin@linuxfoundation.org>
3) https://lists.gnupg.org/pipermail/gnupg-users/2020-January/063190.html


--
John Doe

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal