ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

PoP & Signer's User ID subpacket?

2003-06-16 14:34:40
from [Trevor Perrin] [Permanent Link]
I could be wrong, but it seems like PGP keysigning often happens without Proof-of-Possession of the corresponding private key. For example, at PGP keysigning parties, I think it's common for people to attest that a fingerprint really belongs to them, but not have to produce signatures with the corresponding private key.
Is there a risk that Alice could trick someone into certifying that Bob's public key belongs to her? Then someone receiving a signed message from Bob might incorrectly think it came from Alice.
Maybe, as a Security Consideration, the "Signer's User ID" subpacket should always be included in signatures. If Bob always included this subpacket in his signatures, then no-one could be tricked into thinking Bob's signed messages really came from Alice.
Trevor
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: OpenPGP Sub Keys, Werner Koch
Next by Date:  Re: PoP & Signer's User ID subpacket?, David Shaw
Previous by Thread:  Using all zeros for IV means that.., Mauricio Junqueira
Next by Thread:  Re: PoP & Signer's User ID subpacket?, David Shaw
Indexes:  [Date] [Thread] [Top] [All Lists]