Migrating keys

Wed Nov 26 22:12:20 CET 2003

> It's not watertight. If I have both your secret key and your email account, I
> can do all of this, and have in the end a trusted key to your name where you
> don't have the secret key.  Granted, I'll need coninued access to your mail
> account, but in some circumstances this may be easy.
====================================

if an attacker had both 1) access to person's email account and 2) that
person's secret key, then, why would they need to raise suspicion by
issuing a new key? the old one should work fine, unless the target has
maintained a revocation certificate AND knows that their account and/or
key have been compromised AND issues that certificate to everyone who WILL
(this is future tense!) send them mail.

> I think it's important to think again about what David said: a signature on a
> key is a public statement. It's not just that you (as the recipient of such a
> 'sign my new key' request) believe that nothing bad is going on, but you are
> publicly asserting that the key is genuine, and others rely on this. Possibly
> to do things with expensive real-world consequences if you are wrong (sending
> passwords, ...)
====================================

speaking of not watertight, here's a problem (based on my understanding of
PGP/GPG, correct me if i'm wrong): let's say i've known bob my whole life,
and i sign has key (0x13). i've now personally certified that his key is
really *HIS* key, right?

now, what happens if bob generates a new [encryption] sub-key? well, that
sub-key comes into this world with my signature attached to it and
authenticating it's validity (because the sub-key is self-signed with the
same signing key that i've signed).

in the same way, if bob (or his secret-key) is taken by aliens (or the the
mob, MIB, etc), and *THEY* can also generate a new [encryption] sub-key,
then that new encryption key also bears my signature (but is *NOT* really
bob's key!).

so ultimately, if an attacker can hijack someones secret keyring (or just
the secret-signing-key), they wouldn't need to raise any red flags by
instructing people to use a new key-pair, they could just expire the old
sub-key, and generate a new one, which happens to include a bunch of
signatures (maybe even mine!). of course it's probably easier for an
attacker to steal the secret keyring than to (mathematically) recover it
however, this attack only requires that the signing key is compromised....
this is important because we're mostly using 1024 (DSA) signing keys, even
though [most of] our encryption keys are larger.

moral of the story? if bob is abducted by aliens (or the mob, MIB, etc),
and they have enough computing power to recover his secret-signing-key,
but not enough computing power to recover his secret-encryption-key, this
would be a pretty cool attack, and they could pretend to be bob without
raising too much (if any) suspicion.

another observation, is that a signed email [claiming to be] from bob
saying:
	my old key isn't good any more, here's my new key...

(even though many of us would not trust it, at face value) really has just
as much validity as a new sub-key (which most of us would trust, at face
value) because both are signed by bob's signing key, which we trust (and
may have certified to trust) belongs to bob.... social aspects aside, is
there really a technical difference between trusting a new sub-key and
trusting a signed email, like above? (i propose there is no difference)

        ...atom

 _______________________________________________
 PGP key - http://smasher.suspicious.org/pgp.txt
 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3
 -------------------------------------------------

	"The limitation of riots, moral questions aside, is that
	 they cannot win and their participants know it. Hence,
	 rioting is not revolutionary but reactionary because it
	 invites defeat. It involves an emotional catharsis, but
	 it must be followed by a sense of futility."
		-- Martin Luther King, Jr.