Unwanted additions to Keys (was: Thawte Web-Of-Trust)
Thu, 6 Jul 2000 13:03:58 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
On 6 Jul 2000, Huels, Ralf KSV wrote:
> > [...] they violate etiquette by adding unauthorized UIDs to one's
> > key (I didn't *want* "Thawte Freemail Member" attached to my key),
> That is a point that has been bugging me for quite some time about
> the public key infrastructure in general. If Iīm not mistaken adding
> a UID is usually not an issue, because you need the private key but
You are mistaken. Anyone can add user-ids to any key. An implementation of
OpenPGP done correctly will ignore user-ids that do not have valid
self-signatures (IMHO), and you need the private key to make a
self-signature, but that doesn't stop someone from adding a user-id to a
You would have to write your own program to do this, however... I think
that PGP 2.0 or 2.1 was the last PGP implementation that let you do this.
Supposedly Thawte wrote their own tools.
> there is nothing that prevents e.g. a spammer from getting a load
> from the keyservers and signing every key with a key that has UIDs
> that endorse some product or other.
> Maybe this is a minor threat because PGP/GnuPG keys have little mass
> market impact, but that is SbO, isnīt it? ;-)
> On a more practical note I created an RSA key for compatibility
> reasons only to have my first signator sign it with a DSA key.
> Maybe it would hamper the entire concept of public key exchange too
> much, but sometimes I think some protocol to ascertain the key
> owners consent before tampering with the key is possible would
> be desirable.
Been done. There is an "owner-update-only" flag in OpenPGP that the user
can select, so that no one can update his key on the keyservers but
himself. [Werner -- does GnuPG support this? I want to come up with a
standard authentication method for use in all OpenPGP clients when sending
keys to the keyserver]
System Administrator |
Technology Consultant | "Credo quia absurdum."
icq.. 10735603 |
pgp.. finger://ns.quickie.net/rabbi | --Tertullian
-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.
-----END PGP SIGNATURE-----