Certs by a revoked key
Adrian 'Dagurashibanipal' von Bidder
Tue Feb 25 10:46:01 2003
On Tue, 2003-02-25 at 01:54, David Shaw wrote:
> On Mon, Feb 24, 2003 at 09:34:21AM +0100, Adrian 'Dagurashibanipal' von B=
> > This is the case if you can assume that all revocation packets make it
> > through. But I suspect that an attack where the attacker replaces a 0x0=
> > revocation by the key holder with a 0x01 revocation might be possible,
> > so the victim might be led to trust too many signatures.
> The revocation type (0x01, 0x02, etc) is part of (or had better be
> part of!) the hashed data in the signature so it can't be tampered
This is clear.
> A key that has a 0x01 AND 0x02 revocation can certainly be tampered
> with to remove the 0x02 one... but then, if an attacker could remove
> arbitrary packets, they could remove the 0x01 as well.
I imagined the situation where the victim already has a soft-revoked
key, which is then compromised. For an attacker, it could be easier to
just not let the victim get at the additional 'compromised' revocation
cert than to modify her local key ring and remove the soft revocation -
and it does the job, which is to lead the victim into trusting too many
signatures. (Yes, I didn't spell this out too clearly in my original
Interesting debate you and Richard have going!
featured link: http://fortytwo.ch/time
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: get my key from http://fortytwo.ch/gpg/92082481
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d