At 10:36 PM 6/16/2003 -0400, Derek Atkins wrote:
Trevor Perrin <trevp(_at_)trevp(_dot_)net> writes:
> Bob emails Charlie and says "Hi, I'm your old friend Bob. Where did
> you bury that treasure we stole?" Charlie replies "If you're really
> Bob, what's our codeword? And send it to me signed and encrypted, so
> I'll know which public key is yours." So Bob does. But Alice now
> slips Charlie a primary key that has Bob's public key as a signing
> subkey, and Alice's public key as an encryption subkey. Charlie
> decrypts and verifies the message, and is satisfied that the owner of
> this primary key knows the codeword, and is "Bob". So he encrypts the
> treasure map to Alice's public key.
Except that Alice's subkey wouldn't have a self-signature by Bob's
primary key, so it shouldn't be accepted by Charlie as a valid subkey.
It would have a self-signature by Alice's primary key, but Charlie wouldn't
know this was Alice's primary key and not Bob's. In this example, I was
assuming there's no web of trust, and Charlie doesn't otherwise know Bob's
primary key. Charlie is trying to authenticate Bob and determine Bob's
keys, and knows that if Bob sends him (Charlie) a signed and encrypted
message containing a "codeword" they both know, then the signing key must
belong to Bob.
Charlie then makes the reasonable but wrong assumption that the primary key
and the encryption subkey that he found associated with this signing subkey
must also belong to Bob.
If the signature on the actual message contained the primary key ID, as a
hashed subpacket, then an attacker wouldn't be able to associate her own
primary key with Bob's signing key, so then Charlie's assumption would be
correct. I think.
Trevor