-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Trevor Perrin wrote [excerpts quoted out of order]:
...
> I notice the patent has a signature on it, and I know the USPTO is
> in the habit of signing pending applications with its own key.
>
> I go to a PGP key server and find a key claiming to belong to
> USPTO. I use it to verify the application. Since it verifies, I
> jump to the conclusion that the key belongs to the USPTO.
Yes, you have made a serious error in verifying that key.
You wouldn't do this with a document you received insecurely. You
wouldn't do this if you considered the possibility that the USPTO
site might vend documents signed by others, a perfectly reasonable
possibility.
You seem to be relying on this preface:
> Suppose I download the patent application from USPTO's site, over a
> secure link.
If you believe that the link is secure, why wouldn't you use it
to retrieve the USPTO's key? [OK, they might not publish their
key this way. Ask them to do so. If they won't take that
seriously, why would you trust signatures gathered this way?]
Even this has its risks -- a generic "secure link" (like HTTPS)
doesn't carry the connotations that a key certification does. But it
seems less likely that an organization would securely publish dubious
keys (particularly ones that refer to themselves) than documents
signed by third parties. FAR less likely if the key is explicitly
introduced, for example with text to the effect "this is a USPTO
key".
Now, all that said, I'm quite happy with defining a subkey
cross-signature mechanism (and with David Shaw's proposal in
particular). Let's just not overstate the problem.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
iQA/AwUBP6flHuc3iHYL8FknEQL+4ACgy0ACDS1iAWzdZcnw+9jAeHIjy3IAn1Gb
eZvd12MCfhrJNMDXbFfGFbwx
=baY9
-----END PGP SIGNATURE-----