I’m asking for existing tools/systems that let me programmatically say: “here is my public key, BUT if each of these 5 other public keys all send a signed message saying that my public key has been compromised, then you should mark my public key as compromised, and use the new one they provide”. (This is not for a particular task, I’m just curious if any existing auth systems are capable of this)
I call the idea “guardian keys” because it could be friends’ public keys or or just more-securely-stored less-frequently-used keys that you control.
NOTE: I know this would not work for data encryption. Encrypted data is simply gone if a key is lost. But, for proving an identity, like a login, there could be a system like this but I don’t know of any
What you’re looking for is a revocation key. You can generate one in GPG at the same time that you generate your identity key. The method of securing it is up to you. In your example, a simple way would be to encrypt it with the 5 sequential keys. Or you could break the revocation key up into K parts with Shamir’s secret sharing algorithm.
This example assumes that you’re using existing Web of Trust PKI to manage your public keys: https://stackoverflow.com/questions/59664526/how-the-correct-way-to-revoke-gpg-on-key-server#62644875
Cool, this is exactly what I was hoping to learn but couldn’t find. It sounds like its still a pretty manual process, but thats okay. If thats how it is righ now, then thats exactly what I want to know.
I’m considering making tools (GUI local app, but also website AUTH frontend/backend tooling) to try and make systems like this more commonplace and standardized. I didn’t know about revocation keys, so I’m glad I heard about that before trying to build my own.
You could generate a revocation key and then encrypt for multiple people using Shamir’s secret sharing.
https://en.wikipedia.org/wiki/Shamir’s_secret_sharing
Look into ssss and gfshare, the latter explicitly discusses this use of the algorithm.
https://manpages.ubuntu.com/manpages/noble/en/man7/gfshare.7.html