[Top] [All Lists]

RE: draft-ietf-openpgp-rfc2440bis-06.txt

2002-09-23 14:33:47

Hash: SHA1

-----Original Message-----
From: Bodo Moeller 
Sent: Monday, September 23, 2002 1:57 PM
To: Richie Laager
Cc: 'OpenPGP'
Subject: Re: draft-ietf-openpgp-rfc2440bis-06.txt

On Mon, Sep 23, 2002 at 01:49:14PM -0500, Richie Laager wrote:

Did you read my original message from the mailing list archives?
There is a simple workaround for the protocol failure, which
does not have the problems of your proposal: whenever someone
certifies someone else's key, then if this key has an expiration
time set, the certification signature should get an expiration
time too such that the signature's validity period extends no
longer into the future than the key's validity period.

How does this help? If a "bad guy" gets the private key, he can
simply resign everyone's key.

If the bad guy gets Alice's private key that has expired, he can
renew Alice's self-signature on the key, but he cannot renew Bob's
certification for Alice's key, which will have expired too
according to my proposal.  So no-one will believe it is still
Alice's key.

Okay. I get it now. Alice's key expires in 5 years from creating, for
example. Two years later, Bob signs Alice's. Bob's PGP client sets an
expiration date of 3 years in the future on Bob's signature on
Alice's key. That way, Bob's signature expires at the same time as
Alice's key. If an attacker gets Alice's private key and extends the
expiration, the attacker would have to regain all of the signatures.

The only flaw I can see is that if Alice sets an expiration date of
Never, gets a signature from Bob, and then sets her expiration time
to 5 years, Bob's signature will likely NOT have an expiration date.
So, an attacker could then exploit Bob's signature. In essence, this
means that someone can't shrink their key validity length (length as
in time) and still have these benefits. My proposal would allow this.
However, my proposal doesn't allow someone to extend his or her key
validity length. And, my proposal requires changes on the client side
of the recipient, while your proposal requires client side changes
for the key signer. Therefore, I'll agree that your proposal is the
best. I just wanted to contribute my thoughts and clarify my
understanding of the issue.

Richard Laager

Version: PGP 7.0.4