binding sigs

Atom 'Smasher' atom at suspicious.org
Mon Jul 26 19:20:26 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

is this considered an attack:
 	mallory generates a few thousand (or more) keys and signs bob's 
key with all of them (maybe spoofing different dates). mallory posts bob's 
signed key to a keyserver, where these signatures will spread and become a 
burden, not an asset, to bob's key.

mallory could also create keys with UIDs of infamous persons, and post 
those public keys to the keyservers, giving the *impression* that bob's 
key was signed by mass murderers, rapists, war criminals, etc.

of course the way to avoid this (and similar nuisances) is to require that 
certification signatures (0x10 - 0x13) must be accepted by bob's primary 
key before they are accepted by OpenPGP implementations (especially 
keyservers). however, bob must be able to import such a key signature 
before it's accepted, or he will have no way to accept it.

and, of course, if bob accepts a certification signature from alice, alice 
must be able to revoke that signature without requiring acceptance from 
bob.

is it feasible (or desired) to add such a mechanism to the OpenPGP 
standard?

thanks....


  	...atom

  _________________________________________
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

 	"I am committed to helping Ohio deliver its electoral
 	 votes to the president [Bush] next year"
 		-- Walden O'Dell, CEO of Diebold
 		August 2003
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures

iQEcBAEBCAAGBQJBBT1hAAoJEAx/d+cTpVciXcQH/RYxVfcqFEClzHCI+Yet/Bfb
R184URYZTjnfxpRwALPiofJ26OY3srk8LtuBpTZwCo8ovSd7O4ByjS5b2y8JYgwj
3gDQN25CWbld/U5oKUkuu6YM4Fz/LFEgDLII8xqv7YURIuOvtfbU4zsb8mZxIyRu
Qg045+zmFXN06L8jGojKPEoZO+8nhCR/q5xJ2hJ9kcUKrlKxnIKJIcAQyj/dyAcQ
5BMdmlILHuQXVIuZTgDr0qVsfrXrDUVfVaRRjfRNE4ptxUrYvINuTg8lSZcbjJ/6
t3P85I66VazJp2yxDdQWJppfdgDozqhyX4kIEQIZZVh9BwPTA0mef8K9VaybEfY=
=SWAd
-----END PGP SIGNATURE-----

More information about the Gnupg-devel mailing list