From OpenPGP list:
Date: Mon, 24 Nov 1997 22:08:00 -0800
From: Hal Finney <hal(_at_)rain(_dot_)org>
To: ietf-open-pgp(_at_)imc(_dot_)org
Subject: Re: The web of trust has no clothes.
Sender: owner-ietf-open-pgp(_at_)imc(_dot_)org
PGP 5.X implements an extension to the trust model to address the
issue
raised by David Sternlight.
Another flaw in the web of trust and PGP is now revealed and comes
home
to roost. Now that PGP Inc. has deep-sixed RSA in new free
versions,
not only does everyone with an old RSA key have to generate a new
key
but also a complete new set of signatures and web of trust must be
built
if they wish to use the "better" algorithms. And the new keys must
be
distributed to correspondents, either directly or by "pull" from
servers. This took years the first time--perhaps the second time
it will
be a bit faster.
The way it works is as follows. If you have two keys with identical
userids, and the first key signs the second userid, then validity
from
the signatures on the first user ID gets propagated to the second
userid.
The effect is that if you generate a new DSA key with the same name
as your old RSA key, and sign it with your old key, then your new
key
inherits the validity from the old key. (This propagation happens
irrespective of whether the old key is marked as a trusted
introducer.)
In effect, the signatures on your old key automatically get applied
to
your new key. This is an easy way to inherit the signatures from
the old
web of trust. The new keys do not have to start from scratch, as
implied
above.
I have now tried this and either Hal's response is non-responsive to my
concern or
I did something wrong.
With Eudora PGP 5.0 and the pay RSA addition for Eudora PGP 5.0, I ran
PGP keys. I generated a
new ElGamal key pair with the same name and internet address as my 1024
bit RSA key
that had been signed by Schiller et al. I then made the old key the
default key and
signed the new key with it. The signatures were NOT transferred to the
new key, as
I had thought on reading Hal Finney's solution to the issue I raised.
Perhaps Hal intended to be taken literally. Perhaps the VALIDITY of my
old key is
transferred to my new key in the isolation of my own keyring. The
signatures
certainly were not, in effect or otherwise. And none of the signatures
on other
people's keys could be transferred in this way. My new key did not carry
the old
signatures, and if I then send it to a keyserver it doesn't carry the
signatures on
the old key. As I at first said, the web of trust (as represented by
signatures on
keys) and all the signatures on the old RSA key has been lost to the new
key
structure.
What is more, this transfer of trust doesn't apply to any keys not my
own on my own
key ring. Thus any web of trust, signatures, etc. on the old RSA key are
lost as
far as any usefulness is concerned once I switch to Free PGP 5.53. As I
said before
Hal's response, PGP Inc HAS disenfranchised all the old web of trust,
the old
network of signatures, and the old network of keys in PGP 5.53. Everyone
has to get
new keys and to restore any semblance of the old web of trust has to get
new keys
from all their correspondents in order to communicate, and the
correspondents (namely everyone)
all have to get new signatures on their keys, etc. for the transitive
character of the web of trust to work.
I cannot believe Hal (of whom I have a high opinion) would be so
non-responsive
and misdirective to the concern I had raised. I must have misunderstood
him and
done something wrong. Please tell me what it was.
As for Open PGP, if I didn't misunderstand Hal this would certainly not
be a way to
preserve signature and key structure in the presence of algorithmic
change or
updating.
David