export single UID of a key

[David Shaw]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Apr 08, 2003 at 03:21:17PM -0500, Richard Laager wrote:
>  
> On Tue, 8 Apr 2003 14:45:55 -0400, David Shaw wrote:
> 
> > On Tue, Apr 08, 2003 at 04:11:28AM +0200, Michael Nahrath wrote:
> ...
> > > 2. Sign only one UID and send it in an encrypted mail to 
> > this UID's mail
> > > address.
> > > Do this for every UID in a key seperately.
> > > Do _not_ keep these signatures in your normal keyring.
> > > If the key owner uploads the signatures to the keyservers 
> > he prooves that
> > > he owns the secret key. You get your signature back via 
> > '--refresh-keys'.
> > 
> > Note that this doesn't really give you what you want in all cases.
> > OpenPGP keys are usually made up of a primary signing key and a
> > number of secondary encryption keys.  There are other combinations,
> > but that is by far the most common.
> > 
> > Anyway, when you sign a key, you are actually signing the primary
> > key plus the user ID.  If you follow #2 above, you are actually
> > sending the signed key to an entity that may or may not control the
> > signing key - in effect, signing something without strong proof
> > that the
> > recipient actually "owns" that key.
> 
> If I'm understanding you correctly, a key like the following would be
> a problem:
> pub Alice <alice@example.com>
> sig Alice <alice@example.com>
> uid Alice <eve@example.com>
> <<NO SELF-SIG>>
> 
> In this case, eve@example.com would get a signature for that user id.
> However, this would only be possible if the process implementing #2
> above wasn't validating self-sigatures. What motive* would Alice have
> to add a fake userid to her key and add a self-signature to it? If
> she wanted to be associated with root@someotherdomain.com for
> example, this wouldn't work, unless she could intercept the e-mail
> message with the signature. And, if she can intercept mail at that
> address, then the signature is valid -- she can in fact read messages
> sent to the address.
> 
> * I acknowledge the possibility that she might want to annoy someone
> with lots of signed uid messages.
> 
> The other way I'm interpreting this is that the encryption key used
> for encrypting the e-mail might not be the one owned by the primary
> key owner. Here again, though, the binding signatures must be
> checked.

No, the binding signature is useless here.  Think about it: would you
sign my key based on the fact that I signed some random piece of data
at some point in the past?  Surely not, but that is what this system
suggests.

It is certainly true that in the huge majority of cases, the entity
that controls the decryption key is the same one that controls the
signing key.  However, OpenPGP does not in any way require this.  When
you make a signature you are making it over {primarykey,uid}.  The
decryption key is of only incidental importance here.

For example: let's say someone can read my mail, and manages to steal
my key and passphrase.  Big deal - they still didn't get my primary
key, which is stored offline.  I can just revoke the subkeys, and make
some new ones.  Until I realize what happened, the attacker has a
pretty strong incentive to get more signatures on my key.  If people
sign using the suggested method above, then the attacker gets lots of
signatures and doesn't "own" the key.

If people require a signed challenge, the attacker is foiled.  He
cannot fulfil the challenge.

Another place where the suggested system breaks down is in split key
setups where there is one OpenPGP "key" broken into different subkeys
for different employees with the employer controlling the primary.

Finally, what happens with a sign-only key in this system?  Who do you
encrypt the message to?

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc

iD8DBQE+kzvn4mZch0nhy8kRAlrAAJsGwxIW0gAhUIB0ip1RZiNQQ2KN/wCg4y4i
fESplvQ36Q1hCL13MdE4jGk=
=dgiv
-----END PGP SIGNATURE-----