New crypto idea Implemented in gpg

Brent R. Waters bwaters@CS.Princeton.EDU
Mon Mar 17 22:26:02 2003

>David Shaw wrote:

>One of the things that harms OpenPGP compatibility of this is the lack
>of a self-signature on the user ID.  There is no particular problem
>with the user ID being fake, but the lack of a self-sig hurts (in
>practice, even though the OpenPGP spec allows it).
>Is there any problem with signing the user ID?  I imagine that the
>keyid field of the signature can be set to the same as the
>incomparable public key.  Each incomparable public key should be able
>to verify signatures made by the single secret key, correct?

Sorry for the late response Dave. There is an issue with making use of
signatures. In my scheme two senders have different public keys, but the
incomparable property is such that they cannot tell if they are equivalent.
(i.e. if there is just one secret key that can be used to decrypt messages
from either public key). If that secret key (or another common secret key)
were used to sign messages then the two senders could try to verify the
same message with each of their keys. If only one key could verify a
message then the keys are not equivalent, if they both could then they are
equivalent. Using the secret key for signing would thus remove the entire
benefit of using Incomparable Public Keys.

As far as the self signature goes there are a few options that I can think
of. One is to leave it the way it is. Another would be for the secret key
holder to have a unique signing key for each distributed key, but use the
same decryption key. This might allow for quick decryption, but also
have some benefits of signed keys. This could be more of a pain in key
management though.

Anyway I am open to hearing more comments.