David Shaw <dshaw(_at_)jabberwocky(_dot_)com> writes:
Yes. Hal suggested something similar, but to have the signing subkey
certify the primary.
That's not sufficient.. We need both signature keys to cross-certify.
The attack without cross-certification is that I could generate a
signing key and then certify that it's a signing subkey of
president(_at_)whitehouse(_dot_)gov(_dot_)
Does anyone have any thoughts on the details of this? We already have
all the parts needed to have a signing subkey certify the primary
(just have the subkey issue a 1F signature). I like your suggestion
to put it in the subkey self-signature since that will avoid the
inevitable messiness when a subkey is deleted, but leaves behind the
1F signature. Putting it in the subkey self-signature keeps things
neat.
I think this is exactly where a notary-style double-signature is
useful (and should be required as a MUST).
With regards to signing subkeys in general, I'd much rather fix the
problem than drop signing subkeys. 2440 defined signing subkeys years
ago, and they are already in use today (this message is signed by
one). They are very useful in a good number of situations. To remove
them now seems like a step backwards.
Fair enough.. I don't like it, but we can at least fix the
certification problems.
David
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord(_at_)MIT(_dot_)EDU PGP key available