docs: expand on the motivation for subkeys

1 files changed, 112 insertions, 22 deletions

diff --git a/sq-guide.md b/sq-guide.md
index ffe68e9..fc8b2ed 100644
--- a/sq-guide.md
+++ b/sq-guide.md
@@ -668,32 +668,122 @@ security, and without losing access to older files and messages.
 
 ## Why use subkeys?
 
-Even someone having only one cryptographic key may benefit from having
-other keys for specific purposes. For example, they might have a very
-strong primary key as their primary key, and additional, auxiliary
-keys for encryption or digital signatures. Such auxiliary keys can be
-tied to the primary key using _certifications_, which we'll cover in
-more detail later. For now, a certification uses the primary key to
-declare that the auxiliary key can be used instead of the primary key
-for a specific purpose. The auxiliary key then becomes a _subkey_,
-and other users of OpenPGP will use it automatically, if they have
-your certificate. This setup has several benefits:
-
-* you can have separate subkeys for encryption, signing, or
-  authentication
-* it's harder to leak or misuse the primary key, as it's only used
-  rarely
-* you can use a smaller key when less security is OK in exchange for
-  faster use
-* you can have a separate subkey for each device you have, or put
-  them on a hardware security token
-* you can replace the subkeys easily: others trust your certificate,
-  and will happily use any subkey they can verify using your
-  certificate
+To understand why subkeys are useful, it is good to understand some of
+the ways in which the security provided by cryptography can be attacked.
+
+An attacker can break the security that cryptography provides by
+various means. It's good to understand these, even if they're not
+directly relevant to most people's use of cryptography. The attacks
+can be broken down to at least the following classes (alas, it's not
+an exhaustive list):
+
+* attacks on the mathematics underlying the cryptography
+  - this is the worst kind of attack, but it's also the most rare:
+    it seems to happen on the order of about once per decade
+  - the mathematics usually relies on "puzzles" where it's easy show
+    that a solution is correct, but hard to come up with a solution
+    without trying every possible solution
+  - if an attacker finds a way to bypass the puzzle, or to find an
+    easy way to solve a puzzle, they may weaken the protection
+    cryptography provides sufficiently that the defenders had best
+    change to something new
+  - defense: regularly review the strength of cryptographic
+    algorithms, and upgrade to newer ones in the OpenPGP standard and
+    its implementations
+* attacks on the implementation of the cryptography
+  - this is more common: they happen on the order of once per year
+  - an implementation might be faulty so that the keys it generates
+    are weak: for example, if a random number generator is used badly,
+    it might be possible to guess the keys, because the number of
+    possible keys is greatly reduced
+  - defense: use a recent version of the software, upgrade when
+    serious bugs are fixed
+* attacks on the keys being used
+  - we, the authors of this guide, don't know how common this is
+  - for example, if the keys are short, it may become possible for
+    attackers to try every possible key
+  - if an attacker can steal a private key, and break the passphrase
+    protecting it, they can just use it as if they were the legitimate
+    holder of the key
+  - we can assume that the more a key is used, the more ciphertext
+    material the attackers have to analyze, the easier it is for them
+    to break a specific key
+  - defense: use task specific keys and replace them with new ones
+    from time to time
+* attacks on passwords or passphrases
+  - passwords leak from large services frequently, order of weekly
+  - from experience, we know that people in general use weak passwords
+    to protect logins to computers and services, and there is no
+    reason to think that's not true about encryption keys
+  - we also know people in general use the same or same few passwords
+    in many situations, which means that when (not if) passwords leak,
+    attackers can try all leaked passwords, and have a reasonable
+    chance of finding some that are used
+  - defense: strong passphrases, or (better) use hardware tokens
+* attacks on the way the software being used
+  - we, the authors of this guide, don't know how common this is,
+    except that spousal abuse happens daily, and that now includes
+    spouses installing spyware on devices
+  - if an attacker can convince you to install a modified version of
+    the cryptographic software you use, or change its configuration,
+    you might end up encrypting everything to the attacker's key as
+    well as to any the keys you intended to use
+  - likewise, an attacker may be able to install or configure your
+    device themselves, which makes this kind of attack even easier for
+    them
+  - defense: there seems to be no good way to guard against a targeted
+    attack by a motivated attacker with sufficient resources
+* attacks on the person using cryptography
+  - we, the authors of this guide, don't know how common this is,
+    except that spousal abuse happens daily
+  - in some countries, law enforcement or border agents can legally
+    force you to disclose the password your private key is protected
+    with, if they can find no reason to accuse you of a crime
+  - gangsters, spies, and abusive spouses can use, or threaten to use,
+    violence to force you to reveal your passphrase
+  - defense: there's no good way to guard against a targeted attack by
+    a motivated attacker with sufficient resources
+
+OpenPGP supports _subkeys_. These are auxiliary keys, tied to a
+primary key using _certifications_, which we'll cover in more detail
+later. For now, a certification uses the primary key to declare that
+the auxiliary key can be used instead of the primary key for a
+specific purpose. The auxiliary key then becomes a _subkey_, and other
+users of OpenPGP will use it automatically, if they have your
+certificate.
 
 All of this is managed pretty much automatically using OpenPGP
 software.
 
+Subkeys allow you to, for example, have different keys for different
+purposes. You can also have different subkeys for different devices.
+
+* on your laptop
+  - a key to sign email sent from that laptop
+  - a key to decrypt email sent to you
+  - a key to sign changes in version control
+  - a key for logging into servers via SSH
+  - a key for logging into web sites
+* on your phone
+  - a key to sign email sent from the phone
+  - a key to decrypt email sent to you
+
+All of these would be separate, distinct subkey. If senders encrypt
+messages meant for you using every encryption subkey you have, you can
+read encrypted messages on both your phone and your laptop.
+(Unfortunately, some OpenPGP implementations do not encrypt to all
+subkeys currently. This is hopefully a temporary problem, and only
+affects encryption of messages for you.)
+
+You would store the main key in a secure way, such as on an encrypted
+USB drive, using it only to certify new subkeys. At other times, you
+would store the USB drive in a safe, physically secure place.
+
+If your phone is stolen, you only need to revoke that subkey.
+
+When you want to have new subkeys, you can just create them, and when
+others get your updated certificate, they'll start using them
+automatically.
 
 ## Why would keys expire automatically?