On Thu, 2009-01-29 at 15:53 -0500, David Shaw wrote:
I suspect it wouldn't hurt, but wouldn't help much either.
Why not? It would solve the problem! Or am I wrong?
For
example, given this:
Signature === January 1
Signature === January 3
Signature === January 5
it is clear that the January 5 signature is the latest and the one to
use. Given this:
Signature === January 1
Revocation === January 2
Signature === January 3
Revocation === January 4
Signature === January 5
It's still clear which signature is the right one.
I suppose if you had an implementation that insisted on using the
first signature, regardless of the date, then the revocations would
force it to look at the last signature..
Yes and this is the point here, isn't it?! ;)
It may conclude
that there is no signature at all (after all, the one signature it was
looking at is revoked).
Well and I think that's what Peter actually wants. And that's what I'd
suggest, too.
Better to fail at all than using something probably evil, just like you
at gnupg decided with the critical bit at the signature expiration time.
I tried to think a little bit about the whole issue with revoking
previous self-sigs. I'm not sure so pleas help me with the following:
One dangerous type of attack in cryptosystems are downgrade attacks.
I build some examples in order to find out whether an attacker could do
downgrade attacks on self-sigs (e.g. with different hash algorithms and
other different and security critical subpackets) and if this would be
prevented by _generally_ revoking old self-sigs that were replaced by
new ones.
I think for these kind of attacks, revoking the old self-sigs wouldn't
help anything, would it?
Because an attacker could always strip of newer self-signatures and
revocation signatures as he likes, and thus users and actually the whole
OpenPGP-PKI really _RELY_ on functional keyservers the distribute the
complete and up-to-date version of the key.
Or do you see anything that I've missed?
Anyway, as long as the RFC allows implementations the choose which
self-signature they use (and "just" RECOMMEND to use the most recent),
I'd vote to suggest to use that revocation trick. At least if it would
work at all ^^
Have we already found a definite answer here?
Best wishes,
--
Christoph Anton Mitterer
Ludwig-Maximilians-Universität München
christoph(_dot_)anton(_dot_)mitterer(_at_)physik(_dot_)uni-muenchen(_dot_)de
mail(_at_)christoph(_dot_)anton(_dot_)mitterer(_dot_)name
smime.p7s
Description: S/MIME cryptographic signature