At 05:08 PM 10/29/2003 -0500, Michael Young wrote:
Trevor Perrin wrote (in another message):
> I don't want to re-confuse an issue you've just clarified, but
> here's a generalization of the second proposal that might be worth
> considering:
>
> You could include in *every* signature a subpacket that contains a
> hash of *all* enclosing context. By "enclosing context" I mean
> the key packet for the primary key, along with its
> self-signatures, and the key packet for the subkey as well (if the
> signing key is a subkey) along with the subkey binding signature.
This would add yet another impediment to rewriting self-signatures
(or binding signatures). To permit rewriting, you'd have to keep
all past versions (and try each one at verification time) or copy
that material into the signature.
Good point - you'd only want to include context that won't get invalidated
by re-issued signatures. So I guess we could change the proposal to only
cover key packets, not signature packets, without losing too much:
Proposal: Include in every signature a hashed subpacket that contains a
hash of the relevant key packets. The relevant key packets are the primary
key packet if the signing key is a primary key, or the primary key *and*
subkey packets if the signing key is a subkey.
This stops these 3 manipulations:
- issuing a subkey signature to someone else's key, and claiming their
signatures
- changing the primary key that a signature performed by a re-used subkey
belongs under
- an attacker generating a new key that verifies someone else's signature
Trevor