[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PoP & Signer's User ID subpacket?

To: David Shaw <dshaw@xxxxxxxxxxxxxxx>, ietf-openpgp@xxxxxxx
Subject: Re: PoP & Signer's User ID subpacket?
From: Trevor Perrin <trevp@xxxxxxxxx>
Date: Mon, 16 Jun 2003 15:53:11 -0700
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
References: <> <>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx

At 06:08 PM 6/16/2003 -0400, David Shaw wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, Jun 16, 2003 at 02:34:26PM -0700, Trevor Perrin wrote:

> I could be wrong, but it seems like PGP keysigning often happens without > Proof-of-Possession of the corresponding private key. For example, at PGP > keysigning parties, I think it's common for people to attest that a > fingerprint really belongs to them, but not have to produce signatures with > the corresponding private key.
That is true.  Some people (like me) send a challenge to the email
address in the user ID, and require that the key owner sign the
challenge before I'll sign the key.  There are a few variations on
this basic idea, some more rigorous than others.
> Is there a risk that Alice could trick someone into certifying that Bob's
> public key belongs to her?  Then someone receiving a signed message from
> Bob might incorrectly think it came from Alice.
Not really, since when Charlie certifies key X, he isn't certifying
that it belongs to anyone other than the string in the user ID.
Assuming Bob doesn't have a user ID "A-L-I-C-E", this shouldn't be a
problem ;)
Of course, it is possible for Alice to attach her own name to Bob's
key as a second user ID, but that user ID wouldn't be selfsigned and
so it would be difficult to get someone else to sign it.

Probably Alice would first ditch Bob's self-signed user ID, then add her own name as an unsigned user ID. How software would display that, and whether users would recognize the danger signs and not sign that, I dunno.

But here's another angle: suppose Alice gets someone to sign her legitimate primary signing key. Then she signs Bob's public key as a subkey of her primary key. So even if you've done a Proof-of-Possession check on Alice's primary key, she can possibly evade that by introducing a subkey.

I'm too lazy to spend a nice summer day testing this, but from the draft it seems like it might work. So I still like encouraging use of the "Signer's User ID" subpacket in the Security Considerations.

Trevor

Follow-Ups:
- Re: PoP & Signer's User ID subpacket?
  - From: David Shaw

References:
- PoP & Signer's User ID subpacket?
  - From: Trevor Perrin
- Re: PoP & Signer's User ID subpacket?
  - From: David Shaw

Prev by Date: Re: PoP & Signer's User ID subpacket?
Next by Date: Re: PoP & Signer's User ID subpacket?
Previous by thread: Re: PoP & Signer's User ID subpacket?
Next by thread: Re: PoP & Signer's User ID subpacket?
Index(es):
- Date
- Thread