ietf-openpgp
[Top] [All Lists]

Re: Back-signatures, part II

2003-10-30 11:37:29

At 09:25 AM 10/30/2003 +0100, Adrian von Bidder wrote:
>
>On Thursday 30 October 2003 00:17, Trevor Perrin wrote:
>
>[subkey signatures - embedding the primary to avoid misattribution]
>
>> The case I was thinking of, where key re-use might occur, is in something
>> like a smartcard, or a delegated signing server.  This might have limited
>> key storage, or it might not be able to generate new keys (not enough
>> power, or not enough randomness).  If different users share the device,
>> they each might want to certify the device's subkey as belonging under
>> their own primary key.
>>
>> The device would want to make sure each of it's signatures are
>>attributable to the right primary key.  If every signature is a
>>back-signature, this is accomplished.
>
>The hash of the primary would be over the public key? So the holder of
>the secret subkey can make his subkey signature appear to come from
>whatever primary he wants, he doesn't need the secret (primary) key.

He can make his subkey signature appear to come under any of the primary keys that have trusted him (i.e. any of the primary keys that have issued him a subkey binding signature).

>
>So, in your scenario, sharing the secret subkey will effectively mean
>that each can make signatures that will verify with the other's primary.

In my scenario, a bunch of different primary key holders trust a single subkey holder to perform signatures on their behalf. The subkey holder wants to make sure that each signature is attributed to the proper primary key.

Maybe this is a use case that subkeys aren't intended to support. But if every signature covered the primary key and subkey it was produced under, this would work.

Trevor


<Prev in Thread] Current Thread [Next in Thread>