David Shaw writes:
Wondering - should the embedded 0x19 signature be a MUST? Lacking a
0x19 allows the signing subkey to be "stolen" onto another primary
key.
To remind readers, the 0x19 signature is issued by signing subkeys on
top-level keys, so that we have two-way binding. The top key signs the
subkey and the subkey signs the top key, so each key agrees that they
belong together in a pair.
The problem is that if it is not a MUST, someone who does create
such a 0x19 back signature to bind his subkey is still at risk of it
being stolen. The thief would bring just the subkey over and put a new
signature on it by his top key, and there would be no sign of the 0x19
signature the victim had created to try to stop this theft. There would
be no 0x19 signature on the new key, but if it is not a MUST then we
might have to assume that this was just a choice by the key holder not
to create one.
So it does seem like it must be a MUST in order to be an effective
deterrent.
One possible problem is if there is any substantial set of signing subkeys
in use that don't have the 0x19 signature. Signatures issued by those
keys might become invalid. I don't think we have any from pgp.com,
we did not previously support signing subkeys.
Hal Finney