-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, Jun 16, 2003 at 03:53:11PM -0700, Trevor Perrin wrote:
Is there a risk that Alice could trick someone into certifying
that Bob's public key belongs to her? Then someone receiving a
signed message from Bob might incorrectly think it came from
Alice.
Not really, since when Charlie certifies key X, he isn't certifying
that it belongs to anyone other than the string in the user ID.
Assuming Bob doesn't have a user ID "A-L-I-C-E", this shouldn't be
a problem ;)
Of course, it is possible for Alice to attach her own name to Bob's
key as a second user ID, but that user ID wouldn't be selfsigned
and so it would be difficult to get someone else to sign it.
Probably Alice would first ditch Bob's self-signed user ID, then add
her own name as an unsigned user ID. How software would display
that, and whether users would recognize the danger signs and not
sign that, I dunno.
PGP shows such user IDs as revoked (not sure why) and refuses to sign
them.
GnuPG shows such user IDs as unsigned, and warns the user before
signing them. I may go ahead and make the warning even stronger or
just flat out refuse to sign like PGP.
This raises a 2440bis question: given all the recent deprecation of
PGP 2.x stuff, is it worth requiring self-signatures on user IDs now?
If I recall, the only reason that user ID self-signatures are not
currently required was for 2.x compatibility. Certainly every modern
implementation (5.0+, any GnuPG) generates user ID self-signatures
automatically when a user ID is created.
But here's another angle: suppose Alice gets someone to sign her
legitimate primary signing key. Then she signs Bob's public key as
a subkey of her primary key. So even if you've done a
Proof-of-Possession check on Alice's primary key, she can possibly
evade that by introducing a subkey.
At least one of the challenge policies (mine) requires that the
challenge response comes from the primary key. The primary is the one
that I got a fingerprint for, and the primary is the one I'm signing
when I certify the key, so the primary is the one I require the
challenge response from.
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
iD8DBQE+7oyr4mZch0nhy8kRAl49AKCuSJGc0CJnC6sNYxXvOhzW/xgYcQCgkErK
k1+VB8LIaS1cDV/VFKSkmSc=
=xm/X
-----END PGP SIGNATURE-----