Communications forward secrecy

[Ian Brown]

Adam and I have just sent off our paper for publication so obviously we
don't want to spoil its chances by putting it on-line. But some of the
things we've been working on:

* PGP 5 already allows signature keys and self-certified encryption
keys. So, you get your signature key signed by lots of other people to
build up the web of trust. But generate a new encryption key pair every
n days (I would probably use n=1), with a lifetime of n days, sign it
with your signature key, then upload it to a keyserver. After the public
key expires, you can securely delete the private key -- so even if a
decryption warrant appears, there's absolutely nothing you can do to
help Mr. Policeman. We're writing software that automatically does all
of this, absolutely compatible with PGP 5.

* Going even better, you can generate a new key pair for every message
you send, including the public key in the message. The recipient uses
that new public key to reply. You can then destroy the associated
private key.

* You can also protect your mail at the transport layer by using SSH to
tunnel your SMTP links to other SMTP servers. Then attackers can't even
get hold of the ciphertext of your message. The keys used by SSH are
destroyed as soon as the link is closed so they can't be demanded
either.

All of the above use encryption keys that are as short-lived as
possible. If anyone captures your communications traffic, they'd better
get to you before you destroy the private keys... Otherwise there's
nothing anyone can do about it.

Obviously all the above emphasises the absurdity of any governmental
attempt to make key escrow work.

Ian.