[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PoP & Signer's User ID subpacket?


At 10:36 PM 6/16/2003 -0400, Derek Atkins wrote:

Trevor Perrin <trevp@xxxxxxxxx> writes:

> Bob emails Charlie and says "Hi, I'm your old friend Bob.  Where did
> you bury that treasure we stole?"  Charlie replies "If you're really
> Bob, what's our codeword?  And send it to me signed and encrypted, so
> I'll know which public key is yours."  So Bob does.  But Alice now
> slips Charlie a primary key that has Bob's public key as a signing
> subkey, and Alice's public key as an encryption subkey.  Charlie
> decrypts and verifies the message, and is satisfied that the owner of
> this primary key knows the codeword, and is "Bob".  So he encrypts the
> treasure map to Alice's public key.

Except that Alice's subkey wouldn't have a self-signature by Bob's
primary key, so it shouldn't be accepted by Charlie as a valid subkey.

It would have a self-signature by Alice's primary key, but Charlie wouldn't know this was Alice's primary key and not Bob's. In this example, I was assuming there's no web of trust, and Charlie doesn't otherwise know Bob's primary key. Charlie is trying to authenticate Bob and determine Bob's keys, and knows that if Bob sends him (Charlie) a signed and encrypted message containing a "codeword" they both know, then the signing key must belong to Bob.

Charlie then makes the reasonable but wrong assumption that the primary key and the encryption subkey that he found associated with this signing subkey must also belong to Bob.

If the signature on the actual message contained the primary key ID, as a hashed subpacket, then an attacker wouldn't be able to associate her own primary key with Bob's signing key, so then Charlie's assumption would be correct. I think.

Trevor