On Wed, Oct 29, 2003 at 01:33:23PM -0800, Trevor Perrin wrote:
The problem arises when the user signs a document with the subkey, and
wants this signature to be under one of his particular primaries. Say he
has Work and Personal primary keys. He signs something and wants to
indicate that it's under his Work primary key.
A user can "legally" use the same subkey under two different
primaries.
yeah, but if he does this, a verifier might assume that the signature was
intended under one primary key, when it was really intended under another.
I think this is more of a feature request than an attack.
It's only an attack if a bad guy can choose which primary key the signature
appears to be under, in a way that tricks the verifier into treating the
signature incorrectly.
The user intentionally chose to use the same subkey in two places.
The user intentionally issued the signature. The user shouldn't be
surprised that either copy of the same key can verify that signature.
If a user wants to be unambiguous as to which hat he was wearing when
he issued the signature, he shouldn't use the same key everywhere.
This is somewhat similar to a situation where a user has two user IDs
on his key: "user at evilcompany.com" and "user at
anonymouswhistleblowers.com". If the user sends out whistleblower
information and signs it with that key, he shouldn't be surprised when
he is fired...
David