Key Validity/Trust problems
Tue, 9 Jan 2001 10:44:51 -0000
I've created a program that will be used to encrypt orders using a
specific key from the pubring.gpg. The program decides which key is to
be used based on what the user is doing at the time, eg what
information they are browsing.
This pubring is updated with new keys as and when i create them, but
only if they have been signed by my master signing key.
This works fine, I can distribute the pubring and program with no
problem and update it. However the problem comes when i want to encrypt
to one of the pub keys since their is no valid trust path back to a
fully trusted key. This is because the key used to sign all the pubkeys
(my secret key) cannot be distributed with the program for obvious
Since the user does not know encryption will be taking place, or at
leasts need to be as unaware as possible, i cannot ask the user to
create their own key, and then sign the public keys.
So I'm left with two possible solutions. Create a dummy secret key
that I also sign all new keys with. This dummy key will be distributed
with the program, thus causing a valid trust path back to a fully
trusted key. Would this open any security holes though? The key would
only be used for varifying trust paths, so i presume it would be only
subject to local attacks? Also since the users would never need to sign
or decrypt using this key, i could make a very very very long and
difficult passphrase to protect the secret key (although i don't think
the dummy key really needs protecting)
The other option would be to modify my program, so that when gpg says
key trust path cannot be found, are you sure you want to encypt to this
key, It validates the key fingerprint and they uses the key?
Both of these options are only suseptable to local attacks as far as I
can see, and since their are easier attacks on the local machine such as
replacing gpg.exe , i'm not worried about those. Out of the two options
which would be better?
I hope i've explained that ok?
I understand that really users should each have a secret key that they
sign trusted keys with, to make a full trust path (that is how i use
gpg), however I hope you can see why i'm trying to find another solution
for the purposes of my program, since i know all the keys are to be
trusted as i have created them (if they are signed by my secret key that
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to firstname.lastname@example.org