End to End Encryption SIG - 2021-09-22

SCE isn't really common - so there is no common message format inside encrypted messages...

except... MIME

Everybody loves MIME!!!

I'm facing a hen and egg problem using OpenPGP.

To utilize OpenPGP for Account wide identity key + per device keys, I'd like to have the device keys as subkeys of the account identity key. However, the device keys would usually again consist of a primary device key with subkeys (I want to be able to both sign and encrypt using the per-device keys).

As a consequence I'd need something along the lines of : Account Identity Key owns (Device Primary Key owns Device Encryption Subkey and Device Signing Subkey)

However, currently virtually no OpenPGP implementation supports subkeys of subkeys.

See https://gitlab.com/sequoia-pgp/weird-keys#results (cert-subkeys)

https://gitlab.com/sequoia-pgp/weird-keys#cert-subkeyspgp

So I'm thinking of manually establishing the subkey hierarchy by keeping the keys separate, but requiring implementations to check for subkey binding signatures.

what is the purpose of the account identity key?

i.e. how is it different from a device key?

larma: a device key is just for that one device. If you use 2 devices with same acc you have 2 device keys, an account key is for the account independent from the device.

The account key is used as long term identity

but, isn't that account key not stored on a "device" (phone, computer, server, paper) and thus is just another device key?

And to certify device keys

It is

so why do we need it?

But it is higher up in the hierarhy

is it a hierarchy for the sake of having a hierarchy or does it actually make sense?

You dont want to have your account key on every device.

but on some devices? or only a single device?

It is used as a single user identity. So that users dont have to individually trust X devixe keys

The identity key CAN be kept on a single trusted device, but could also be synced

Depends on users /clients preferences

do I need the account key to add a new device?

Yes. That is if you want to include your new device in the set of trustworthy devices.

Clients should allow the user to further communicate with devices not yet certified by the account key.

But they should warn the user in that case.

only once or persistently?

I kinda feel there is some overengineering going on here.

Once

This is basically the Matrix trust model

And it seems to work for them

So 🤗

not sure what you mean by works for them. they just store a single accounts key on the server that is password encrypted and most people just use the same password as their account password or something very close. when logging in from a new device they just have to enter their password twice

but then you don't really need device keys anymore because effectively the account key is/was on every device ✏

I'd model the sepc such that you CAN do what the matrix guys do, but allow for different schemes (offline account key)

I mean, OMEMO TBFV seems to work as well. 90%+ don't verify at all and can be attacked under certain scenarios (active server side attack), but everyone gets the "feeling" of encrypted chats. Just like Matrix...

Yeah, but people always complain about fingerprints. An account key would reduce this situation to only a single fingerprint per contact + the fps of the users own devices.

> when logging in from a new device they just have to enter their password twice But you get an new aditional device key, and the list becomes longer and longer with every device change or new install of a client if you dont delete obsolete devices from your list.