[Top] [All Lists]

Re: The Web of Trust Has No Clothes

1997-11-27 22:06:53

From OpenPGP list:

Date: Mon, 24 Nov 1997 22:08:00 -0800
From: Hal Finney <hal(_at_)rain(_dot_)org>
To: ietf-open-pgp(_at_)imc(_dot_)org
Subject: Re: The web of trust has no clothes.
Sender: owner-ietf-open-pgp(_at_)imc(_dot_)org

PGP 5.X implements an extension to the trust model to address the
raised by David Sternlight.

Another flaw in the web of trust and PGP is now revealed and comes
to roost.  Now that PGP Inc. has deep-sixed RSA in new free
not only does everyone with an old RSA key have to generate a new
but also a complete new set of signatures and web of trust must be
if they wish to use the "better" algorithms. And the new keys must
distributed to correspondents, either directly or by "pull" from
servers. This took years the first time--perhaps the second time
it will
be a bit faster.

The way it works is as follows.  If you have two keys with identical

userids, and the first key signs the second userid, then validity
the signatures on the first user ID gets propagated to the second
The effect is that if you generate a new DSA key with the same name
as your old RSA key, and sign it with your old key, then your new
inherits the validity from the old key.  (This propagation happens
irrespective of whether the old key is marked as a trusted

In effect, the signatures on your old key automatically get applied
your new key.  This is an easy way to inherit the signatures from
the old
web of trust.  The new keys do not have to start from scratch, as

I have now tried this and either Hal's response is non-responsive to my
concern or
I did something wrong.

With Eudora PGP 5.0 and the pay RSA addition for Eudora PGP 5.0, I ran
PGP keys. I generated a
new ElGamal key pair with the same name and internet address as my 1024
bit RSA key
that had been signed by Schiller et al. I then made the old key the
default key and
signed the new key with it. The signatures were NOT transferred to the
new key, as
I had thought on reading Hal Finney's solution to the issue I raised.

Perhaps Hal intended to be taken literally. Perhaps the VALIDITY of my
old key is
transferred to my new key in the isolation of my  own keyring. The
certainly were not, in effect or otherwise. And none of the signatures
on other
people's keys could be transferred in this way. My new key did not carry
the old
signatures, and if I then send it to a keyserver it doesn't carry the
signatures on
the old key. As I at first said, the web of trust (as represented by
signatures on
keys) and all the signatures on the old RSA key has been lost to the new

What is more, this transfer of trust doesn't apply to any keys not my
own on my own
key ring. Thus any web of trust, signatures, etc. on the old RSA key are
lost as
far as any usefulness is concerned once I switch to Free PGP 5.53. As I
said before
Hal's response, PGP Inc HAS disenfranchised all the old web of trust,
the old
network of signatures, and the old network of keys in PGP 5.53. Everyone
has to get
new keys and to restore any semblance of the old web of trust has to get
new keys
from all their correspondents in order to communicate, and the
correspondents (namely everyone)
all have to get new signatures on their keys, etc. for the transitive
character of the web of trust to work.

I cannot believe Hal (of whom I have a high opinion) would be so
and misdirective to the concern I had raised. I must have misunderstood
him and
done something wrong. Please tell me what it was.

As for Open PGP, if I didn't misunderstand Hal this would certainly not
be a way to
preserve signature and key structure in the presence of algorithmic
change or


<Prev in Thread] Current Thread [Next in Thread>