binding sigs

[David Shaw]

On Mon, Jul 26, 2004 at 01:20:26PM -0400, Atom 'Smasher' wrote:
> is this considered an attack:
>  	mallory generates a few thousand (or more) keys and signs bob's 
> key with all of them (maybe spoofing different dates). mallory posts bob's 
> signed key to a keyserver, where these signatures will spread and become a 
> burden, not an asset, to bob's key.
> 
> mallory could also create keys with UIDs of infamous persons, and post 
> those public keys to the keyservers, giving the *impression* that bob's 
> key was signed by mass murderers, rapists, war criminals, etc.

It's not a really useful attack since it does not actually impact the
security of the system.  It's more of an prank.  It happened quite a
bit back in the PGP 2 days (check out some of the sigs on prz's key),
but then people got bored with it since it doesn't actually do
anything harmful.

> of course the way to avoid this (and similar nuisances) is to require that 
> certification signatures (0x10 - 0x13) must be accepted by bob's primary 
> key before they are accepted by OpenPGP implementations (especially 
> keyservers). however, bob must be able to import such a key signature 
> before it's accepted, or he will have no way to accept it.
> 
> and, of course, if bob accepts a certification signature from alice, alice 
> must be able to revoke that signature without requiring acceptance from 
> bob.
> 
> is it feasible (or desired) to add such a mechanism to the OpenPGP 
> standard?

Already in there.  That's what the keyserver no-modify flag is for.
No keyserver currently follows it though.

David