-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, Jun 17, 2003 at 09:48:31AM -0400, Derek Atkins wrote:
David Shaw <dshaw(_at_)jabberwocky(_dot_)com> writes:
On Mon, Jun 16, 2003 at 10:36:58PM -0400, Derek Atkins wrote:
Trevor Perrin <trevp(_at_)trevp(_dot_)net> writes:
Bob emails Charlie and says "Hi, I'm your old friend Bob. Where did
you bury that treasure we stole?" Charlie replies "If you're really
Bob, what's our codeword? And send it to me signed and encrypted, so
I'll know which public key is yours." So Bob does. But Alice now
slips Charlie a primary key that has Bob's public key as a signing
subkey, and Alice's public key as an encryption subkey. Charlie
decrypts and verifies the message, and is satisfied that the owner of
this primary key knows the codeword, and is "Bob". So he encrypts the
treasure map to Alice's public key.
Except that Alice's subkey wouldn't have a self-signature by Bob's
primary key, so it shouldn't be accepted by Charlie as a valid subkey.
I think Trevor was referring to Alice generating a brand new primary
signing key and encryption subkey, and then using the new primary to
self-sign Bob's signing subkey (or transform Bob's primary into a
subkey and self-sign that). Alice then is in posession of a key that
will correctly verify Bob's signatures, but someone encrypting to the
key will encrypt to Alice.
Alice can't issue signatures as Bob, but can attempt to claim existing
Bob signatures as her own.
Well, the obvious fix for this attack is to require all signing keys
to be authoritative. If we're going to allow signature subkeys (as
opposed to just encryption subkeys), then the self-signature on that
subkey should be a two-factor signature, requiring BOTH secret keys.
Yes. Hal suggested something similar, but to have the signing subkey
certify the primary.
Does anyone have any thoughts on the details of this? We already have
all the parts needed to have a signing subkey certify the primary
(just have the subkey issue a 1F signature). I like your suggestion
to put it in the subkey self-signature since that will avoid the
inevitable messiness when a subkey is deleted, but leaves behind the
1F signature. Putting it in the subkey self-signature keeps things
neat.
With regards to signing subkeys in general, I'd much rather fix the
problem than drop signing subkeys. 2440 defined signing subkeys years
ago, and they are already in use today (this message is signed by
one). They are very useful in a good number of situations. To remove
them now seems like a step backwards.
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
iD8DBQE+7yAq4mZch0nhy8kRAvMdAKCsBsZK5LITnlFr4m/enwqUdmruUACgy/Dc
RzWq73rYII43Mabr7S0QNO4=
=RBrQ
-----END PGP SIGNATURE-----