On 6/17/03 8:02 AM, "Derek Atkins" <warlord(_at_)MIT(_dot_)EDU> wrote:
Sure, this is fine... Theoretically the real key owner should have
access to both private keys at the same time, so this shouldn't be an
issue. Using a subpacket is fine. I still belive this is a MUST ;)
I'm happy with any suitable solution, but I have a grumbly thing to add in.
The general case of this is something we've called "signature stealing" and
is always possible in a system that involves administrative processes. All
you have to do is take someone else's signing key and start shopping around
for someone who is careless enough (or bribable enough) to certify it. You
can then claim that you made any signature made by the victim of that
attack.
This is not a flaw in OpenPGP, it is a flaw in the very nature of digital
signatures. It is a flaw that can be narrowed, but not solved, period end of
sentence. Furthermore, there is a sense in which it's bad security practice
to worry about it too much. The reason is that it creates an opportunity for
attack escalation; it makes the system more brittle. In simple words, the
harder it is to steal a signature, then the more valuable a bogus cert is,
and the more devastating such an attack is to the victim.
Please note that I'm not suggesting we do nothing here. Anything we do to
improve the bindings is good. I'm merely pointing out that we shouldn't get
wrapped around the axle over an issue that is unsolvable.
A clever signature thief can claim possession of those signatures, and
refuse to make more on the grounds that they have retired that key and are
now using *this* one.
This is merely another place where sticky human issues can't be obviated by
mathematics.
Jon