Hi everyone,
I was thinking about the "stolen signing subkey" problem, and a
slightly different solution popped up:
What if we create a new "signature in a signature" subpacket that is
defined as a regular signature contained in a subpacket? All signing
subkeys MUST contain such a subpacket in their binding self-signature.
The "subpacket signature" in this case is made by the signing subkey,
and on the primary key, hashed as if for a 1F signature. The end
result is that the signing subkey has a binding self-signature issued
by the primary key as we do now, and that binding self-signature has
an embedded 1F signature on the primary key data issued by the signing
subkey itself.
One of the nice benefits of using a subpacket here, rather than some
other scheme is that we can set the critical bit of the subpacket if
we want to "break" the signing subkey on older implementations, but at
the same time, we don't have to.
I was considering suggesting a single-purpose subpacket that could
only be used for making a back-signature from a signing subkey on the
primary key data, but it started to look like reinventing the wheel.
We have a good, working, signature format. If we just stick it in a
subpacket, we can leverage all that work.
Yes, it is a little odd to contemplate the idea that a subpacket can
contain a signature that contains subpackets which contains a
signature... "Great fleas have little fleas upon their backs to bite
'em, And little fleas have lesser fleas, and so ad infinitum."
Is this overkill for the exact problem at hand? Probably. On the
brighter side, is certainly a more general solution that could be
useful elsewhere. For example, it might replace the (as yet unused)
signature target subpacket: since we can just stick the target
signature in this proposed subpacket, we don't need the current target
subpacket anymore. It also enables interesting possibilities for the
notary signature.
David