Unwanted additions to Keys (was: Thawte Web-Of-Trust)

L. Sassaman rabbi@quickie.net
Thu, 6 Jul 2000 13:03:58 -0700 (PDT)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 6 Jul 2000, Huels, Ralf KSV wrote:


> > [...] they violate etiquette by adding unauthorized UIDs to one's
> > key (I didn't *want* "Thawte Freemail Member" attached to my key),
>
> That is a point that has been bugging me for quite some time about
> the public key infrastructure in general. If Iīm not mistaken adding
> a UID is usually not an issue, because you need the private key but
You are mistaken. Anyone can add user-ids to any key. An implementation of OpenPGP done correctly will ignore user-ids that do not have valid self-signatures (IMHO), and you need the private key to make a self-signature, but that doesn't stop someone from adding a user-id to a key. You would have to write your own program to do this, however... I think that PGP 2.0 or 2.1 was the last PGP implementation that let you do this. Supposedly Thawte wrote their own tools.
> there is nothing that prevents e.g. a spammer from getting a load
> from the keyservers and signing every key with a key that has UIDs
> that endorse some product or other.
> Maybe this is a minor threat because PGP/GnuPG keys have little mass
> market impact, but that is SbO, isnīt it? ;-)
> On a more practical note I created an RSA key for compatibility
> reasons only to have my first signator sign it with a DSA key.
>
> Maybe it would hamper the entire concept of public key exchange too
> much, but sometimes I think some protocol to ascertain the key
> owners consent before tampering with the key is possible would
> be desirable.
Been done. There is an "owner-update-only" flag in OpenPGP that the user can select, so that no one can update his key on the keyservers but himself. [Werner -- does GnuPG support this? I want to come up with a standard authentication method for use in all OpenPGP clients when sending keys to the keyserver] - --Len. __ L. Sassaman System Administrator | Technology Consultant | "Credo quia absurdum." icq.. 10735603 | pgp.. finger://ns.quickie.net/rabbi | --Tertullian -----BEGIN PGP SIGNATURE----- Comment: OpenPGP Encrypted Email Preferred. iD8DBQE5ZOY1PYrxsgmsCmoRAmv9AKCpc8s1b6b8ENWwraWgo/4tiLfapACfU62V X2Ijan3eOG5JaNKQsyY1pFs= =bWEE -----END PGP SIGNATURE-----