Jon Callas <jon(_at_)callas(_dot_)org> writes:
On 6/17/03 8:02 AM, "Derek Atkins" <warlord(_at_)MIT(_dot_)EDU> wrote:
Sure, this is fine... Theoretically the real key owner should have
access to both private keys at the same time, so this shouldn't be an
issue. Using a subpacket is fine. I still belive this is a MUST ;)
I'm happy with any suitable solution, but I have a grumbly thing to add in.
The general case of this is something we've called "signature stealing" and
is always possible in a system that involves administrative processes. All
you have to do is take someone else's signing key and start shopping around
for someone who is careless enough (or bribable enough) to certify it. You
can then claim that you made any signature made by the victim of that
attack.
How does this attack work if the signature subkey _REQUIRES_ cross
certification? If I wanted to assume your signature key, how am I
supposed to get your signature subkey to sign my primary key in order
to perform the (to-be-required) cross-certification?
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord(_at_)MIT(_dot_)EDU PGP key available