-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings,
Except that the human psyche does not function in the
manner in which your protocol thinks it should.
And that may be it's shortcomings.
Packets, protocols, and RFC's are meaningless, when
the limitations of the human mind are not taken into
consideration. By UI, I do not mean an implementation,
I mean, the UI of your RFC, yes, RFC's have a UI...
UI does not only stand for "User Interface", it is
also what I call "Human Element".
You talk about the WoT, but, isn't that broken
with subkeys...
That is all I have to say, and only time
will prove me right.
If you do find me obnoxious, then, by all means
do let me know, I will then refrain for posting
anything to this forum.
Best Regards
Imad R. Faiad
On 01 Jul 2003 11:57:13 -0400, you wrote:
Ok, putting my chair hat on.
Removing subkeys from 2440bis is OUT OF SCOPE. Fixing security
problems with subkeys is IN SCOPE. The goal of 2440bis is to fix
security and interop issues, not remove functionality just because
some people have minimalist views.
While minimalism is a virtue, it (like all things) should be applied
in moderation.
Having said that, and taking my chair hat off....
"Imad R. Faiad" <matic(_at_)cyberia(_dot_)net(_dot_)lb> writes:
9) She sends a message to Bob, which
is at least signed with the signing
subkey of Alice's fake key. Does
the same with Alice using the signing
subkey in Bob's fake key.
Except there is no subkey-signature from the signing subkey on the
fake-Alice master key, so Bob wont accept it as a valid subkey.
10) Alice and Bob thinking that the other
party must have generated yet another
subkey update their copy from the servers.
Except they wont think this, because the subkey wont validate on
Eve's replacement keys.
11) In both cases the message authenticates,
giving credence to the respective fake keys.
12) In the worst case scenario, Alice
and Bob, will start using the other's
fake key, while each is ignorant
that the other party is using his fake
key. Since, Eve is in the middle,
decrypting the messages, then
re-encrypting and forwarding them to
the other party.
Well, first, if Alice and Bob have signed each other's master key,
then they wont use the fake keys.
The above sounds implausible to you?
It sounds implausible in the face of a real WoT between
Alice and Bob. It also sounds implausible once Alice and
Bob have keys in the local keyright. It is certainly plausible
on a first-contact basis without a real WoT.
I will note that UI issues are out of scope here. The UI issue
is an implementation issue and has nothing to do with interop.
The purpose of 2440bis is to fix security and interop problems;
how that is translated to a UI is implementation dependent and has
little to do with the protocol.
There are a spectrum of solutions.
On the one extreme there is the scalpel school of
thought which believes that if something
is questionable, you get rid of it altogether,
to put my suggestion on the Master key/ one
subkey restriction, into perspective. It does
not mean that I belong to the "scalpel school of
thought". Nor do I profess such a proposed solution
as a religion... I could care less what the adopted
solution is, as long as it addresses the root of
the problem to my satisfaction.
As I have already stated, removing subkeys is out of scope.
David Shaw's patch, does not solve the problem.
Can you please show an example where David's patch does not work?
In particular, the approach where the master key and subkey cross-sign
each other seems to protect against all the attacks you've proposed so
far... The case where Alice does not know Bob's master key is a WoT
issue and has nothing to do with subkeys -- the subkey issue is knowing
what master key a subkey belongs to.
Why shouldn't subkeys be regarded like any other
keys. What applies to key, should apply to them
too.
In what way are subkeys not regarded like master keys?
my 2c
Best Regards
Imad R. Faiad
-derek
On Sun, 29 Jun 2003 23:01:26 +0100, you wrote:
I am amazed that this thread is still running several weeks
after you
started it, with virtually every response refuting your arguments...
And what amazes me, is that you have yet to grasp what we are
talking about! Please re-read the thread, some issues have
been addressed. I sincerely hope that you re-read each and
every message in that thread, because, you are taylor made
for the kind of attacks which can be inflicted to your OpenPGP keys.
I've read all the messages. Your request that subkey capability be
essentially removed has been rejected by all of them.
RFC 2440 was published five years ago. I look forward to your draft
removing multiple subkey capability from it.
I am no paper pusher, and do not have the funding or
time/ability to publish RFC's
So I guess this thread is at an end then, with the capability
remaining.
-----BEGIN PGP SIGNATURE-----
Version: 8.0.2irf
Comment: KeyID: 0xBCC31718833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBPwHP/LzDFxiDPxutAQJMwQf/UNKORxZfDApb5sZWItwkl7bkvJEkOECh
SphQ5B5+YWOdm6zjWaK0GKISA7LIwsrOBIWZ7VEpbNHZznbyHMa7pM9iedy3s0p4
29twTgSf7XEGBX0GuJSvsgt8Oh1aJoLQYGXUWS+GJ7rqPzjFuXQKv6h6+fvWMNzf
At+9M49H+zrAGFaiWWWX4gErpV74XmaZS63ARyro0taWTHlJY1Flm9OPhbGsA4kQ
undI200hv1Z1f4zfCfGqNeyknRQz5dRqQnJ6D1ZwUu1fPtHGCsAaVmL9Mf+kGZ2Q
3gSI0hnYH3MhZWXgMFc1cYxgIhiFqbn/BDLS0isS/9EjG5GGWLJ0qw==
=cDhw
-----END PGP SIGNATURE-----