At 11:36 PM 6/16/2003 -0400, David Shaw wrote:
On Mon, Jun 16, 2003 at 03:53:11PM -0700, Trevor Perrin wrote:
> But here's another angle: suppose Alice gets someone to sign her
> legitimate primary signing key. Then she signs Bob's public key as
> a subkey of her primary key. So even if you've done a
> Proof-of-Possession check on Alice's primary key, she can possibly
> evade that by introducing a subkey.
At least one of the challenge policies (mine) requires that the
challenge response comes from the primary key. The primary is the one
that I got a fingerprint for, and the primary is the one I'm signing
when I certify the key, so the primary is the one I require the
challenge response from.
Right, but after you've done this, and checked that Alice really possesses
her primary private key, Alice can certify a subkey whose private key she
doesn't really possess.
The problem is that there's a forward-linkage from a primary key to a
subkey, but no back-linkage from a signing subkey to the primary key. Hal
suggested having the signing subkey also certify the primary key. I
suggested having the signatures produced by the signing subkey have the
primary key's ID as a hashed subpacket.