Do Qubes have any intention of following in the footsteps of TAILS as
proposed below:
[ see link
https://tails.boum.org/doc/about/openpgp_keys/signing_key_revocation/index.en.html
]
This document proposes a mechanism for the distribution and activation
of the revocation certificate of the Tails signing key.
Goals
Covered by current proposal:
Prevent any single individual from revoking our signing key.
Allow a coalition of people from
ta...@boum.org to revoke our
signing key in case most of the people from
ta...@boum.org become
unavailable.
Allow a coalition of people, not necessarily from
ta...@boum.org, to
revoke our signing key in case everybody or almost everybody from
ta...@boum.org becomes unavailable.
Make it hard for a coalition of people not from
ta...@boum.org to
revoke our signing key unless everybody or almost everybody from
ta...@boum.org becomes unavailable.
People not from
ta...@boum.org shouldn't know how the shares are
spread and who has them.
People in possession of a share of the signing key should have
instructions on how to use it if needed.
Groups
We define four complementary groups of trusted people:
Group A: people from
ta...@boum.org themselves
Group B
Group C
Group D
All these people should have an OpenPGP key and understand what a
revocation certificate is.
Cryptographic shares
We generate a revocation certificate of the signing key and split it
into a number of cryptographic shares, using for example Shamir's secret
sharing scheme implemented by gfshare.
The following combinations of people could get together and reassemble
their shares to reconstruct a complete revocation certificate:
Three people from
ta...@boum.org: A{3}
Two people from
ta...@boum.org and one person not from
ta...@boum.org: A{2}+(B|C|D)
One person from
ta...@boum.org, and two people not from
ta...@boum.org but from two different groups: A+(B|C|D){2}
Three people not from
ta...@boum.org but from three different
groups: (B+C+D){3}
We generate these shares:
N shares, one for each person from
ta...@boum.org
1 share for people in group B
1 share for people in group C
1 share for people in group D
Who knows what
People from
ta...@boum.org know the composition of each group
People not from
ta...@boum.org:
Are explained in which circumstances they should revoke the
signing key
Are told to write to a certain contact email address if they
decide to revoke the signing key
Are told that they need three different shares to reassemble the
revocation certificate
Infrastructure
Everybody who owns a share is subscribed to a mailing list.
This mailing list is hosted on a trusted server different from
boum.org to be more resilient than our usual communication channels.
Changing the members of the groups B, C, or D
To add someone to a given group:
Request someone from that group to send her share to the new person
in the group.
To remove someone from a given group:
Send new shares to everybody except to the person who is being removed.
Request everybody to delete their previous share and track this.
Once everybody in 2 groups amongst B, C, or D have deleted their share,
it becomes impossible for them to reassemble the revocation certificate
with the previous set of shares.
Let's hope that this doesn't happen very often :)
Expiry
There is no expiry date on revocation certificates. One way of
cancelling the revocation power is to destroy all copies of shares of 2
groups amongst B, C, or D.