offline primary keys
dshaw at jabberwocky.com
Wed Sep 24 18:28:46 CEST 2014
On Sep 24, 2014, at 12:05 PM, Hauke Laging <mailinglisten at hauke-laging.de> wrote:
> Am Mi 24.09.2014, 11:39:33 schrieb David Shaw:
>> If the primary key can't sign, they can't respond to this challenge.
>> A signing subkey isn't sufficient here, as it can be attached to any
>> number of keys, so a signature from it does not prove access to the
>> primary key. Backsigs don't help this problem since backsigs only
>> protect against a "stolen" subkey - not against one that is
>> intentionally attached to multiple primary keys.
> So what difference is this going to make in real life?
> Somebody proves his identity with an official ID, claims towards
> witnesses that he owns the key with the respective fingerprint, controls
> the signing subkey (or not: If you can get a subkey signature from the
> mainkey why not a data signature?) and has a certification signature for
> this subkey.
> And then what? A document appears and the key holder is held responsible
> for it. And then he just says "I don't own this key. I never did. I have
> no idea why you believe this was mine" or what?
That's not a problem that key certifications can solve. Key signing says nothing about the reliability or responsibility of the person. When I make a certification, I'm essentially saying "I checked that there is a binding between this key, and the entity named in the user ID. Here is a URL that says exactly what I checked."
For all I know, that person shares his key with dozens of people. For all I know, it was hacked long before or after I signed it. I can't know that and key signing doesn't make any statements as to that.
> Even your approach is not safe in an automated procedure. You might send
> the challenge to the wrong person who quotes the text and asks "Why have
> you sent this so me?". And this email is signed because every mail of
> this person is signed (not difficult to find such people, and they are
> not to be blamed for this). The stupid automated tool sees a message
> with the challenge, signed by the right key...
I don't see how this follows. If I sent it to the wrong person, how would they have the right key?
In any event, I didn't mention any automation.
> This is the usual problem that you don't know what signatures are
> supposed to mean. The solution would be a signature notation meaning
> "This signature is part of a certification check for key
Sure, that works fine, and is an improvement. But getting back to the original comment, this signature and notation still needs to come from the primary key, and not a subkey.
>>  See, for example, https://dougbarton.us/PGP/PGP-Keysigning.pdf
> Interesting. What is
> "UID collisions are possible, especially in RSA"
> supposed to tell me?
It's often hard to read too much from a powerpoint since the discussion of each step is missing, but I think that's a typo. I suspect he meant "key ID collisions". I read it as "you need to check the whole fingerprint, since it's easy to create a key ID collision".
More information about the Gnupg-devel