Unwanted additions to Keys (was: Thawte Web-Of-Trust)

L. Sassaman rabbi@quickie.net
Thu, 6 Jul 2000 13:03:58 -0700 (PDT) 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 6 Jul 2000, Huels, Ralf KSV wrote:

> > [...] they violate etiquette by adding unauthorized UIDs to one's 
> > key (I didn't *want* "Thawte Freemail Member" attached to my key),
> 
> That is a point that has been bugging me for quite some time about
> the public key infrastructure in general. If Iīm not mistaken adding
> a UID is usually not an issue, because you need the private key but 

You are mistaken. Anyone can add user-ids to any key. An implementation of
OpenPGP done correctly will ignore user-ids that do not have valid
self-signatures (IMHO), and you need the private key to make a
self-signature, but that doesn't stop someone from adding a user-id to a
key.

You would have to write your own program to do this, however... I think
that PGP 2.0 or 2.1 was the last PGP implementation that let you do this.

Supposedly Thawte wrote their own tools.

> there is nothing that prevents e.g. a spammer from getting a load
> from the keyservers and signing every key with a key that has UIDs
> that endorse some product or other.
> Maybe this is a minor threat because PGP/GnuPG keys have little mass
> market impact, but that is SbO, isnīt it? ;-)
> On a more practical note I created an RSA key for compatibility
> reasons only to have my first signator sign it with a DSA key.
> 
> Maybe it would hamper the entire concept of public key exchange too
> much, but sometimes I think some protocol to ascertain the key 
> owners consent before tampering with the key is possible would 
> be desirable.

Been done. There is an "owner-update-only" flag in OpenPGP that the user
can select, so that no one can update his key on the keyservers but
himself. [Werner -- does GnuPG support this? I want to come up with a
standard authentication method for use in all OpenPGP clients when sending
keys to the keyserver]


- --Len. 

__

L. Sassaman

System Administrator                |  
Technology Consultant               |  "Credo quia absurdum."
icq.. 10735603                      |  
pgp.. finger://ns.quickie.net/rabbi |          --Tertullian 







-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.

iD8DBQE5ZOY1PYrxsgmsCmoRAmv9AKCpc8s1b6b8ENWwraWgo/4tiLfapACfU62V
X2Ijan3eOG5JaNKQsyY1pFs=
=bWEE
-----END PGP SIGNATURE-----