Tkey for signing keys. Motivation: Sigsum needs long-lived signing keys, with backup in case the device holding the signing key (and maybe the rest of the site as well) is destroyed. Same may apply to other long lived keys, e.g., close to the top of a cert hierarchy/delegation chain.

1. Signer app: Recieve an encrypted signing key, encrypted to the key's unique key using some public key crypto algorithm. Decrypts the signing key, and acts as signing oracle. Also needs a way to advertise its own pubkey, as well as the pubkey corresponding to the signing key.

2. Keygen app: Takes a list of public keys. Generates a new signing key, and encrypts it to each of the public keys.

3. Export app: Takes public keys and an encrypted signing key. Decrypts using its own unique key, and reencrypts to each of the public keys. Also needs a way to advertise its own pubkey. (Similar role as a yubihsm with key export enabled, but with "keywrap" done using public keys rather than a symmetric key).

Usage scenario: Get at least three tkeys, two intended as backups, the other(s) as signing oracles. Extract the public keys for each key and the respective intended app (signer or exporter). Load the key-gen app on any of the keys, and give it all those pubkeys.

Store the resulting encrypted blob reliably. Lock up the two backup/export keys. Attach a signing key to the machine intended to do signing, and provide the encrypted blob and the signing app on that machine.

When any one of the keys breaks, take one of the export keys out of the safe, and use it to reencrypt the signing key to a replacement key of the appropriate type.

Extension 1 (technically quite easy, I think): Add a symmetric key/passphrase, required for operation of the keys, either a single one, or separate for each key. Would be particularly relevant for access to the export keys, and it would also make sense to apply k-of-n secret sharing of the secret needed to operate the export keys.

Extension 2 (hand waving): Have the signer app require a proof of logging of the act of exporting the signing key to that particular key.

/Niels