At 06:08 PM 6/16/2003 -0400, David Shaw wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, Jun 16, 2003 at 02:34:26PM -0700, Trevor Perrin wrote:
> I could be wrong, but it seems like PGP keysigning often happens without
> Proof-of-Possession of the corresponding private key. For example, at PGP
> keysigning parties, I think it's common for people to attest that a
> fingerprint really belongs to them, but not have to produce signatures
with
> the corresponding private key.
That is true. Some people (like me) send a challenge to the email
address in the user ID, and require that the key owner sign the
challenge before I'll sign the key. There are a few variations on
this basic idea, some more rigorous than others.
> Is there a risk that Alice could trick someone into certifying that Bob's
> public key belongs to her? Then someone receiving a signed message from
> Bob might incorrectly think it came from Alice.
Not really, since when Charlie certifies key X, he isn't certifying
that it belongs to anyone other than the string in the user ID.
Assuming Bob doesn't have a user ID "A-L-I-C-E", this shouldn't be a
problem ;)
Of course, it is possible for Alice to attach her own name to Bob's
key as a second user ID, but that user ID wouldn't be selfsigned and
so it would be difficult to get someone else to sign it.
Probably Alice would first ditch Bob's self-signed user ID, then add her
own name as an unsigned user ID. How software would display that, and
whether users would recognize the danger signs and not sign that, I dunno.
But here's another angle: suppose Alice gets someone to sign her legitimate
primary signing key. Then she signs Bob's public key as a subkey of her
primary key. So even if you've done a Proof-of-Possession check on Alice's
primary key, she can possibly evade that by introducing a subkey.
I'm too lazy to spend a nice summer day testing this, but from the draft it
seems like it might work. So I still like encouraging use of the "Signer's
User ID" subpacket in the Security Considerations.
Trevor