export single UID of a key

Richard Laager rlaager@wiktel.com
Tue Apr 8 22:20:02 2003


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 8 Apr 2003 14:45:55 -0400, David Shaw wrote:

> On Tue, Apr 08, 2003 at 04:11:28AM +0200, Michael Nahrath wrote:
...
> > 2. Sign only one UID and send it in an encrypted mail to 
> this UID's mail
> > address.
> > Do this for every UID in a key seperately.
> > Do _not_ keep these signatures in your normal keyring.
> > If the key owner uploads the signatures to the keyservers 
> he prooves that
> > he owns the secret key. You get your signature back via 
> '--refresh-keys'.
> 
> Note that this doesn't really give you what you want in all cases.
> OpenPGP keys are usually made up of a primary signing key and a
> number of secondary encryption keys.  There are other combinations,
> but that is by far the most common.
> 
> Anyway, when you sign a key, you are actually signing the primary
> key plus the user ID.  If you follow #2 above, you are actually
> sending the signed key to an entity that may or may not control the
> signing key - in effect, signing something without strong proof
> that the
> recipient actually "owns" that key.

If I'm understanding you correctly, a key like the following would be
a problem:
pub Alice <alice@example.com>
sig Alice <alice@example.com>
uid Alice <eve@example.com>
<<NO SELF-SIG>>

In this case, eve@example.com would get a signature for that user id.
However, this would only be possible if the process implementing #2
above wasn't validating self-sigatures. What motive* would Alice have
to add a fake userid to her key and add a self-signature to it? If
she wanted to be associated with root@someotherdomain.com for
example, this wouldn't work, unless she could intercept the e-mail
message with the signature. And, if she can intercept mail at that
address, then the signature is valid -- she can in fact read messages
sent to the address.

* I acknowledge the possibility that she might want to annoy someone
with lots of signed uid messages.

The other way I'm interpreting this is that the encryption key used
for encrypting the e-mail might not be the one owned by the primary
key owner. Here again, though, the binding signatures must be
checked.

This technique is what the Robot CA at toehold.com uses, as far as I
can tell. The whole premise is that the signatures mean nothing at
the time of singing. Only by virtue of the recipient decrypting them,
importing them, and sending them to a keyserver do they have meaning.
So yes, there isn't strong proof, but that seems to be a design
choice.

Am I anywhere on target here? Can you clarify what you meant by "If
you follow #2 above..."?

Thanks,
Richard Laager

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPpMvPW31OrleHxvOEQLGTACgrzFhZ1qZo+SyAYkZXAaXp5NIrKgAoNoF
s1hB8Ldgb4UZLdtOmuXUB5lb
=dfmj
-----END PGP SIGNATURE-----