At 12:43 PM 11/4/2003 -0500, Michael Young wrote:
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Trevor Perrin wrote [excerpts quoted out of order]:
...
> I notice the patent has a signature on it, and I know the USPTO is
> in the habit of signing pending applications with its own key.
>
> I go to a PGP key server and find a key claiming to belong to
> USPTO. I use it to verify the application. Since it verifies, I
> jump to the conclusion that the key belongs to the USPTO.
Yes, you have made a serious error in verifying that key.
You wouldn't do this with a document you received insecurely. You
wouldn't do this if you considered the possibility that the USPTO
site might vend documents signed by others, a perfectly reasonable
possibility.
You seem to be relying on this preface:
> Suppose I download the patent application from USPTO's site, over a
> secure link.
Yes, I'm relying on that.
If you believe that the link is secure, why wouldn't you use it
to retrieve the USPTO's key?
Agreed, that would be better.
I'm not saying that verifying a document with a key is a *good* way to
authenticate the key. I'm just saying it's something a foolish user might do.
Perhaps such a user deserves what he gets.
However, including relevant fingerprints (of the signing key and primary
key) in every signature makes the above safe, whereas the subkey
back-signature doesn't, entirely. It also makes safe the case where
subkeys are re-used under different primary keys. Since I think the
fingerprint solution is also simpler and more efficient, my vote is for that.
But I also agree with David when he says:
"...either of the proposed fixes raises the bar sufficiently to stop casual
exploitation."
so I'm fine with either approach.
Trevor