Mitigating Journalist Key Exhaustion with Short-Lived Keys #99
Description
In its current proposal, SecureDrop faces the risk of journalist key exhaustion as keys should only be used once. One can mitigate this risk by using short-lived keys instead of single-use keys. Keys could be valid, e.g., for one hour, and journalists regularly upload new key material, when their keys risk expiring.
Some thoughts on that:
- Key compromise can have worse effects compared to single-use keys, but as keys are short-lived, the effect of compromise is still limited.
- Adversarial key exhaustion is no longer a threat.
- Accidental key exhaustion may be a larger threat now because all journalist keys could expire. Previously, this could only happen if honest sources used all journalist keys. I think, however, that key expiration is a "better accident" than all keys being used as journalists can easily set alarms for when they have to upload new keys.