ietf-openpgp
[Top] [All Lists]

Re: Back-signatures, part II

2003-10-29 16:17:36

At 05:04 PM 10/29/2003 -0500, David Shaw wrote:


On Wed, Oct 29, 2003 at 01:33:23PM -0800, Trevor Perrin wrote:

> >> The problem arises when the user signs a document with the subkey, and
> >> wants this signature to be under one of his particular primaries. Say he
> >> has Work and Personal primary keys.  He signs something and wants to
> >> indicate that it's under his Work primary key.
> >
> >A user can "legally" use the same subkey under two different
> >primaries.
>
> yeah, but if he does this, a verifier might assume that the signature was
> intended under one primary key, when it was really intended under another.
>
> >  I think this is more of a feature request than an attack.
>
> It's only an attack if a bad guy can choose which primary key the signature
> appears to be under, in a way that tricks the verifier into treating the
> signature incorrectly.

The user intentionally chose to use the same subkey in two places.
The user intentionally issued the signature.  The user shouldn't be
surprised that either copy of the same key can verify that signature.
If a user wants to be unambiguous as to which hat he was wearing when
he issued the signature, he shouldn't use the same key everywhere.

Yeah, this is easily avoided if you just don't re-use keys.

It would also be avoided if the signature is calculated over the hat the user was wearing, when he issued the signature. Then you can re-use keys without fear that a verifying party will be confused or tricked about which copy of the key you signed with.



This is somewhat similar to a situation where a user has two user IDs
on his key: "user at evilcompany.com" and "user at
anonymouswhistleblowers.com".  If the user sends out whistleblower
information and signs it with that key, he shouldn't be surprised when
he is fired...

Anonymity throws a different spin on things.

The case I was thinking of, where key re-use might occur, is in something like a smartcard, or a delegated signing server. This might have limited key storage, or it might not be able to generate new keys (not enough power, or not enough randomness). If different users share the device, they each might want to certify the device's subkey as belonging under their own primary key.

The device would want to make sure each of it's signatures are attributable to the right primary key. If every signature is a back-signature, this is accomplished.


Trevor

<Prev in Thread] Current Thread [Next in Thread>