Several questions as feedback on gnupg
Thu Jan 24 02:56:01 2002
On Thu, Jan 24, 2002 at 12:21:02AM +0100, Ingo Kl?cker wrote:
> > My approach could make the same guarantee by splitting the
> > key into several messages (using a secret splitting algorithm) and
> > mailing one part to each email address. However, this stronger
> > guarantee shouldn't be necessary if I understand the OpenPGP key
> > format correctly.
> A variant of your approach would be to do the following:
> For each UID
> sign the UID;
> encrypt the signed key to itself;
> mail the encrypted key to the email address in the signed UID;
> delete the signature again from the UID;
Yes. This variant is equivalent to the secret splitting approach if
and only if the UIDs are truly independent, which I believe they are
(or should be, given that they're at least _partly_ independent :-).
And given that they are, I believe we should use protocols which don't
mislead people into thinking that key verification is an all-or-nothing
affair. I wonder if the phrase "key signing" is itself misleading?
"UID binding" probably describes the operation better: binding a UID
to the key material.
> > I could have already had this evil UID, in fact; maybe I just
> > stripped it from the version of the key I sent to you.
> I would of course download your key from a key server to hinder you from
> sending me a specially prepared key.
That is irrelevant to this discussion; I could add the UID after you
sign the others, and re-upload.
Personally, I distribute my keys "by hand" all the time, although
they're also present on the keyservers. I expect the need for personal
distribution (e.g. via a Web page) may go up once more people start
using OpenPGP and discover the obvious DoS potential of a keyserver
network which allows unrestricted additions to keys and which never
I can't see how getting my key from a keyserver is any safer than getting
a "specially prepared key" from me. I can upload whatever I want to
the keyservers. Can you explain why you believe downloading from the
keyservers is safer? Is there material which is relevant to the signing
process, not covered by the fingerprint, and not visible in the UID?