Create Subkey Binding

Richard Laager rlaager@wiktel.com
Fri Jan 24 16:27:02 2003


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Shaw wrote:
> Let me make sure I understand what you are trying to do - you have
> a secret/public keypair that has no subkey binding, so you want to
> add a binding to the subkey so you can use it.  There is no easy
> way to do this, as GnuPG obviously wants to reject an
> invalid/corrupt subkey. You'd have to patch the code to override
> the checks and force GnuPG to put a binding signature in place.

Yes, that's what I want to do.

> I took a look at s-mail.com, and it looks rather similar to
> hushmail. Was the key generated by s-mail.com and exported to you? 
> Subkeys
> without bindings are not at all secure since any random person can
> insert one and become a man in the middle.

Yes, it seems similar to hushmail in concept. I've never used either
of them before yesterday. The key was generated by a Java applet on
my machine and sent to s-mail via SSL. All client/sever transactions
are encrypted by SSL. I went to their export secret key page, and it
gave me a PGP keyring (.skr file).

I'm not really too interested in using s-mail. I'm perfectly capable
of doing PGP messages the way I have been. However, a contact of mine
has created an s-mail account and I'm interested in exchanging
encrypted and signed mail with him.

I realize that subkeys without bindings are insecure. However, in
this senario, a MITM attack isn't needed. To replace this file as I
was downloading it probably means they have access to my secret key
anyways. And, if they've broken the SSL to do that, they also have my
passphrase that I sent to s-mail in the same transaction.

Richard Laager

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPjFbnW31OrleHxvOEQLCqQCgti9cmw/m+O/V/WWFKRja6oi4E58AniAi
X10NyoU09ITloe0r2QXmIGD6
=KJ4Q
-----END PGP SIGNATURE-----