On Fri, Oct 31, 2003 at 08:44:39AM -0800, Carl Ellison wrote:
This concern applies, IMHO, when the keyholder derives power from
the thing that is signed, as opposed to the normal course of
business in which the thing signed derives power from the key.
I see the stolen signatures problem as something that naturally
follows from your second example. As you say, when I issue a
signature on something, I give that something power. At the same time
though, I certainly don't want someone else claiming that *they* gave
it that power.
As the protocol stands now, it is easy for multiple people to claim
ownership of a given signature, and produce a valid key to back up
that claim. To be sure, there are other (more difficult) ways for an
attacker to do the same thing, but either of the proposed fixes raises
the bar sufficiently to stop casual exploitation.
David