Certs by a revoked key

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Tue Feb 25 10:46:01 2003

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Tue, 2003-02-25 at 01:54, David Shaw wrote:
> On Mon, Feb 24, 2003 at 09:34:21AM +0100, Adrian 'Dagurashibanipal' von B=
idder wrote:

> > This is the case if you can assume that all revocation packets make it
> > through. But I suspect that an attack where the attacker replaces a 0x0=
> > revocation by the key holder with a 0x01 revocation might be possible,
> > so the victim might be led to trust too many signatures.
> The revocation type (0x01, 0x02, etc) is part of (or had better be
> part of!) the hashed data in the signature so it can't be tampered
> with.

This is clear.

> A key that has a 0x01 AND 0x02 revocation can certainly be tampered
> with to remove the 0x02 one... but then, if an attacker could remove
> arbitrary packets, they could remove the 0x01 as well.

I imagined the situation where the victim already has a soft-revoked
key, which is then compromised. For an attacker, it could be easier to
just not let the victim get at the additional 'compromised' revocation
cert than to modify her local key ring and remove the soft revocation -
and it does the job, which is to lead the victim into trusting too many
signatures. (Yes, I didn't spell this out too clearly in my original

Interesting debate you and Richard have going!

-- vbi

featured link: http://fortytwo.ch/time

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.2.1 (GNU/Linux)
Comment: get my key from http://fortytwo.ch/gpg/92082481

Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d