ietf-openpgp
[Top] [All Lists]

[openpgp] primary key binding signatures (0x19) for non-signing subkeys

2013-03-12 16:08:09
hi OpenPGP folks--

I'm wondering whether authentication-capable subkeys should require
primary key binding signatures (aka "back-sigs" or
"cross-certifications").  There seems to be consensus that
signing-capable subkeys need back-sigs, but it's not clear whether
authentication-capable subkeys need the same thing.

RFC 4880 says:

  For subkeys that can issue signatures, the subkey binding signature
  MUST contain an Embedded Signature subpacket with a primary key
  binding signature (0x19) issued by the subkey on the top-level key.

Many (all?) authentication schemes that use public keys involve making a
signature of some data during the authentication exchange.

This suggests to me that authentication-capable subkeys should have a
back-sig.

Also, i'm considering the possibility of OTR-OpenPGP linkage i mentioned
in a previous thread.  It occurs to me that if Alice manages to
authenticate Bob using some OTR handshake, and she wants to bootstrap
her way from that mutual authentication into an OpenPGP authentication,
then a back-sig is critical.

Mallory can already make her own OpenPGP primary key, attach Bob's User
ID to it, and then attach Bob's actual OTR key as a subkey.  If Alice
just scans the keyserver for primary keys that have Bob's OTR key as a
subkey, there is no way for her to distinguish between Bob's actual key
and Mallory's Fake-Bob key.  A back-sig would provide such a
distinguishing mechanism.

Practically, at least one common implementation (GnuPG) does not create
a back-sig for authentication-capable keys.  Should it do so?  Do other
implementations do so?

Are there any downsides to including a back-sig in every
authentication-capable subkey?

Regards,

        --dkg

Attachment: pgpPU9Bjn4_jS.pgp
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
<Prev in Thread] Current Thread [Next in Thread>
  • [openpgp] primary key binding signatures (0x19) for non-signing subkeys, Daniel Kahn Gillmor <=