elGamal Keys to Sign+Encrypt

David Shaw dshaw@jabberwocky.com
Tue Jan 14 03:26:02 2003

On Mon, Jan 13, 2003 at 04:57:06PM -0800, Len Sassaman wrote:
> On Mon, 13 Jan 2003, David Shaw wrote:
> > However, that said, why should a CA care?  I wouldn't make the CA
> > signing key an Elgamal signing key, but it shouldn't matter if you
> > certify an ElGamal key.
> It depends on your CSP. A CA is making an assertion that the entity
> possessing the secret key corresponding to a given public key is or has
> some bit of information included in the certificate.

Well, I agree that it comes down to policy.  My point was that there
is no technical issue with making such a signature.

However, it is an interesting question what the appropriate policy is.

> If the public key algorithm is too weak to reasonably trust that the
> private key cannot be discovered by a third party, it is not wise to
> sign.

Traditional OpenPGP certification signatures do not attempt to say
more than some variation on "I certify that such-and-such entity (or
role) matches such-and-such key".  I'm not talking about trust
signatures here, of course, which are a different beast.  It raises
some interesting issues whether the signer should take into account
something other than key ownership when making a certification.  There
are of course exceptions to this, and a signer is free to do whatever
the heck they like anyway.

How different is the example above with signing the key of someone who
is known to make willy-nilly bad signatures?  Your certification is
still strong, despite the poor certification policy that the keyholder
has.  On the other side of this is the fact that nobody likes to be
the one to "enable" a weak link in the web of trust.

No one answer here, I'm afraid.


   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson