ietf-openpgp
[Top] [All Lists]

Re: Back-signatures, part II

2003-10-29 15:21:13

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Trevor Perrin wrote:
> At 10:34 PM 10/28/2003 -0500, Michael Young wrote:
>> Also, note that the specification already provides a "signer
>> userId" subpacket that could be used to nearly the same effect as
>> a "signer primary fingerprint" subpacket.
>
> I think that would prevent the version of this where the attacker
> tries  to convince the verifier that the signed message came from
> his *name*.

In practice, I think it's far more interesting to claim that a
particular real-world identity signed a document than a particular
primary key.  But I understand the difference -- that's why I said
"nearly".

Trevor Perrin wrote (in another message):
> I don't want to re-confuse an issue you've just clarified, but
> here's a  generalization of the second proposal that might be worth
> considering:
>
> You could include in *every* signature a subpacket that contains a
> hash  of *all* enclosing context.  By "enclosing context" I mean
> the key  packet for the primary key, along with its
> self-signatures, and the key  packet for the subkey as well (if the
> signing key is a subkey) along  with the subkey binding signature.

This would add yet another impediment to rewriting self-signatures
(or binding signatures).  To permit rewriting, you'd have to keep
all past versions (and try each one at verification time) or copy
that material into the signature.

Very little of this "context" is relevant for most uses.  For special
needs, we have notation packets to carry arbitrary additional
context.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBP6Az6uc3iHYL8FknEQKTzACcCSmnT4PmJTTUrq8Qd+3moODXWXkAoPEk
AmymFtI4xHJSl2Jj3/b/EqJy
=kZ1K
-----END PGP SIGNATURE-----



<Prev in Thread] Current Thread [Next in Thread>