Re: PoP & Signer's User ID subpacket?

[David Shaw <dshaw@xxxxxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Jun 17, 2003 at 09:48:31AM -0400, Derek Atkins wrote:
> David Shaw <dshaw@xxxxxxxxxxxxxxx> writes:
> 
> > On Mon, Jun 16, 2003 at 10:36:58PM -0400, Derek Atkins wrote:
> > > 
> > > Trevor Perrin <trevp@xxxxxxxxx> writes:
> > > 
> > > > Bob emails Charlie and says "Hi, I'm your old friend Bob.  Where did
> > > > you bury that treasure we stole?"  Charlie replies "If you're really
> > > > Bob, what's our codeword?  And send it to me signed and encrypted, so
> > > > I'll know which public key is yours."  So Bob does.  But Alice now
> > > > slips Charlie a primary key that has Bob's public key as a signing
> > > > subkey, and Alice's public key as an encryption subkey.  Charlie
> > > > decrypts and verifies the message, and is satisfied that the owner of
> > > > this primary key knows the codeword, and is "Bob".  So he encrypts the
> > > > treasure map to Alice's public key.
> > > 
> > > Except that Alice's subkey wouldn't have a self-signature by Bob's
> > > primary key, so it shouldn't be accepted by Charlie as a valid subkey.
> > 
> > I think Trevor was referring to Alice generating a brand new primary
> > signing key and encryption subkey, and then using the new primary to
> > self-sign Bob's signing subkey (or transform Bob's primary into a
> > subkey and self-sign that).  Alice then is in posession of a key that
> > will correctly verify Bob's signatures, but someone encrypting to the
> > key will encrypt to Alice.
> > 
> > Alice can't issue signatures as Bob, but can attempt to claim existing
> > Bob signatures as her own.
> 
> Well, the obvious fix for this attack is to require all signing keys
> to be authoritative.  If we're going to allow signature subkeys (as
> opposed to just encryption subkeys), then the self-signature on that
> subkey should be a two-factor signature, requiring BOTH secret keys.

Yes.  Hal suggested something similar, but to have the signing subkey
certify the primary.

Does anyone have any thoughts on the details of this?  We already have
all the parts needed to have a signing subkey certify the primary
(just have the subkey issue a 1F signature).  I like your suggestion
to put it in the subkey self-signature since that will avoid the
inevitable messiness when a subkey is deleted, but leaves behind the
1F signature.  Putting it in the subkey self-signature keeps things
neat.

With regards to signing subkeys in general, I'd much rather fix the
problem than drop signing subkeys.  2440 defined signing subkeys years
ago, and they are already in use today (this message is signed by
one).  They are very useful in a good number of situations.  To remove
them now seems like a step backwards.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc

iD8DBQE+7yAq4mZch0nhy8kRAvMdAKCsBsZK5LITnlFr4m/enwqUdmruUACgy/Dc
RzWq73rYII43Mabr7S0QNO4=
=RBrQ
-----END PGP SIGNATURE-----