-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, Jun 17, 2003 at 10:13:58AM -0400, Derek Atkins wrote:
David Shaw <dshaw(_at_)jabberwocky(_dot_)com> writes:
Yes. Hal suggested something similar, but to have the signing subkey
certify the primary.
That's not sufficient.. We need both signature keys to cross-certify.
The attack without cross-certification is that I could generate a
signing key and then certify that it's a signing subkey of
president(_at_)whitehouse(_dot_)gov(_dot_)
Sorry, I wasn't clear. I should have said "... in addition to the
current subkey certification from the primary".
Does anyone have any thoughts on the details of this? We already have
all the parts needed to have a signing subkey certify the primary
(just have the subkey issue a 1F signature). I like your suggestion
to put it in the subkey self-signature since that will avoid the
inevitable messiness when a subkey is deleted, but leaves behind the
1F signature. Putting it in the subkey self-signature keeps things
neat.
I think this is exactly where a notary-style double-signature is
useful (and should be required as a MUST).
So, the primary signs the subkey as before and then the subkey
notarizes (0x50 sig) this signature? That sounds good, but we'll end
up with two signature packets after the signing subkey. I'm afraid it
would be likely to confuse pre-2440bis implementations which don't
expect to see that extra signature there.
If we put the subkey-on-primary signature IN the original
primary-on-subkey signature (as a new subpacket), then it won't break
older implementations.
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
iD8DBQE+7yeb4mZch0nhy8kRAlA5AJ4/ISSYODKaqfddnrTshij3wdCIwgCgkDlv
nJ7Tnd18mVYhmWpeltpcE1M=
=6y3m
-----END PGP SIGNATURE-----