I’m asking for existing tools/systems that let me programmatically say: “here is my public key, BUT if each of these 5 other public keys all send a signed message saying that my public key has been compromised, then you should mark my public key as compromised, and use the new one they provide”. (This is not for a particular task, I’m just curious if any existing auth systems are capable of this)

I call the idea “guardian keys” because it could be friends’ public keys or or just more-securely-stored less-frequently-used keys that you control.

NOTE: I know this would not work for data encryption. Encrypted data is simply gone if a key is lost. But, for proving an identity, like a login, there could be a system like this but I don’t know of any

  • @[email protected]English
    112 months ago

    What you’re looking for is a revocation key. You can generate one in GPG at the same time that you generate your identity key. The method of securing it is up to you. In your example, a simple way would be to encrypt it with the 5 sequential keys. Or you could break the revocation key up into K parts with Shamir’s secret sharing algorithm.

    This example assumes that you’re using existing Web of Trust PKI to manage your public keys: https://stackoverflow.com/questions/59664526/how-the-correct-way-to-revoke-gpg-on-key-server#62644875

    • @[email protected]OP
      22 months ago

      Cool, this is exactly what I was hoping to learn but couldn’t find. It sounds like its still a pretty manual process, but thats okay. If thats how it is righ now, then thats exactly what I want to know.

      I’m considering making tools (GUI local app, but also website AUTH frontend/backend tooling) to try and make systems like this more commonplace and standardized. I didn’t know about revocation keys, so I’m glad I heard about that before trying to build my own.