At 09:25 AM 10/30/2003 +0100, Adrian von Bidder wrote:
>
>On Thursday 30 October 2003 00:17, Trevor Perrin wrote:
>
>[subkey signatures - embedding the primary to avoid misattribution]
>
>> The case I was thinking of, where key re-use might occur, is in something
>> like a smartcard, or a delegated signing server. This might have limited
>> key storage, or it might not be able to generate new keys (not enough
>> power, or not enough randomness). If different users share the device,
>> they each might want to certify the device's subkey as belonging under
>> their own primary key.
>>
>> The device would want to make sure each of it's signatures are
>>attributable to the right primary key. If every signature is a
>>back-signature, this is accomplished.
>
>The hash of the primary would be over the public key? So the holder of
>the secret subkey can make his subkey signature appear to come from
>whatever primary he wants, he doesn't need the secret (primary) key.
He can make his subkey signature appear to come under any of the primary
keys that have trusted him (i.e. any of the primary keys that have issued
him a subkey binding signature).
>
>So, in your scenario, sharing the secret subkey will effectively mean
>that each can make signatures that will verify with the other's primary.
In my scenario, a bunch of different primary key holders trust a single
subkey holder to perform signatures on their behalf. The subkey holder
wants to make sure that each signature is attributed to the proper primary key.
Maybe this is a use case that subkeys aren't intended to support. But if
every signature covered the primary key and subkey it was produced under,
this would work.
Trevor