offline primary keys

David Shaw dshaw at jabberwocky.com
Wed Sep 24 18:28:46 CEST 2014


On Sep 24, 2014, at 12:05 PM, Hauke Laging <mailinglisten at hauke-laging.de> wrote:

> Am Mi 24.09.2014, 11:39:33 schrieb David Shaw:
> 
>> If the primary key can't sign, they can't respond to this challenge. 
>> A signing subkey isn't sufficient here, as it can be attached to any
>> number of keys, so a signature from it does not prove access to the
>> primary key.  Backsigs don't help this problem since backsigs only
>> protect against a "stolen" subkey - not against one that is
>> intentionally attached to multiple primary keys.
> 
> So what difference is this going to make in real life?
> 
> Somebody proves his identity with an official ID, claims towards 
> witnesses that he owns the key with the respective fingerprint, controls 
> the signing subkey (or not: If you can get a subkey signature from the 
> mainkey why not a data signature?) and has a certification signature for 
> this subkey.
> 
> And then what? A document appears and the key holder is held responsible 
> for it. And then he just says "I don't own this key. I never did. I have 
> no idea why you believe this was mine" or what?

That's not a problem that key certifications can solve.  Key signing says nothing about the reliability or responsibility of the person.  When I make a certification, I'm essentially saying "I checked that there is a binding between this key, and the entity named in the user ID.  Here is a URL that says exactly what I checked."

For all I know, that person shares his key with dozens of people.  For all I know, it was hacked long before or after I signed it.  I can't know that and key signing doesn't make any statements as to that.

> Even your approach is not safe in an automated procedure. You might send 
> the challenge to the wrong person who quotes the text and asks "Why have 
> you sent this so me?". And this email is signed because every mail of 
> this person is signed (not difficult to find such people, and they are 
> not to be blamed for this). The stupid automated tool sees a message 
> with the challenge, signed by the right key...

I don't see how this follows.  If I sent it to the wrong person, how would they have the right key?

In any event, I didn't mention any automation.

> This is the usual problem that you don't know what signatures are 
> supposed to mean. The solution would be a signature notation meaning 
> "This signature is part of a certification check for key 
> $mainkey_fingerprint".

Sure, that works fine, and is an improvement.  But getting back to the original comment, this signature and notation still needs to come from the primary key, and not a subkey.

>> [1] See, for example, https://dougbarton.us/PGP/PGP-Keysigning.pdf
> 
> Interesting. What is
> 
> "UID collisions are possible, especially in RSA"
> 
> supposed to tell me?

It's often hard to read too much from a powerpoint since the discussion of each step is missing, but I think that's a typo.  I suspect he meant "key ID collisions".  I read it as "you need to check the whole fingerprint, since it's easy to create a key ID collision".

David




More information about the Gnupg-devel mailing list