Re: PoP & Signer's User ID subpacket?

[Trevor Perrin <trevp@xxxxxxxxx>]

At 11:36 PM 6/16/2003 -0400, David Shaw wrote:

> On Mon, Jun 16, 2003 at 03:53:11PM -0700, Trevor Perrin wrote:
> > But here's another angle: suppose Alice gets someone to sign her
> > legitimate primary signing key.  Then she signs Bob's public key as
> > a subkey of her primary key.  So even if you've done a
> > Proof-of-Possession check on Alice's primary key, she can possibly
> > evade that by introducing a subkey.
>
> At least one of the challenge policies (mine) requires that the
> challenge response comes from the primary key.  The primary is the one
> that I got a fingerprint for, and the primary is the one I'm signing
> when I certify the key, so the primary is the one I require the
> challenge response from.

Right, but after you've done this, and checked that Alice really possesses 
her primary private key, Alice can certify a subkey whose private key she 
doesn't really possess.

The problem is that there's a forward-linkage from a primary key to a 
subkey, but no back-linkage from a signing subkey to the primary key.  Hal 
suggested having the signing subkey also certify the primary key.  I 
suggested having the signatures produced by the signing subkey have the 
primary key's ID as a hashed subpacket.


Trevor