Migrating keys (fwd)

Atom 'Smasher' atom-gpg at suspicious.org
Thu Nov 27 15:49:03 CET 2003 

> > but, if i sign your key, and you add a sub-key, that carries my
> > signature, just the same as your original key that i signed... my
> > understanding of PGP/GPG is that it's easy to "go back in time" and
> > add a sub-key, so it would appear that the sub-key was also signed.
>
> No.  If you sign my key, you sign my primary key plus a user ID.
> **I** sign my subkeys.  You do not sign them.
====================================

yes. the encryption key isn't signed by other people, just the signing
key.

i knew this would get confusing....

let's see... bob has his key signed by alice. i know alice, and i trust
her signature on bob's key. then bob goes and get's abducted by aliens (or
the mob, MIB, etc) and they have enough computing power to recover his
1024 signing key, but not his 2048 encryption key. (or, maybe bob was just
using one of the faulty ElGamal keys as a primary key?)

now, the aliens (or the mob, MIB, etc) set their computer's clock to some
time *before* alice's signature (setting the time to the past is optional,
but may be useful in some circumstances). then they generate a new
encryption sub-key and (self) sign it with bob's signing key, pretending
to be bob. if they set their clock back, it would appear that the new
sub-key was known to alice (who i trust). even if they don't set their
clock back, it would seem that bob (who i don't know, but i trust alice's
signature on his key)  has just generated a new sub-key. none of this
raises any alarm, even though bob could be getting probed by aliens, or
having his bones bleached by the sun.

that key can then be passed off as bob's key, even though it isn't. it
would also appear to be signed by alice (who i trust) although it wasn't.


        ...atom

 _______________________________________________
 PGP key - http://smasher.suspicious.org/pgp.txt
 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3
 -------------------------------------------------

	"There is no such thing at this date of the world's history in
	 America as an independent press. You know it, and I know it.
	 There is not one of you who dares to write his honest
	 opinion, and if you did, you know beforehand it would never
	 appear in print. I am paid weekly for keeping my honest
	 opinion out of the paper. Others of you are paid similar
	 salaries for similar things. And any of you who would be so
	 foolish as to write honest opinions would be out on the
	 streets looking for another job.

	"If I allow my honest opinions to appear in one issue of my
	 paper, before 24 hours, my occupation would be gone. The
	 business of the journalist is to destroy the truth, to lie
	 outright, to pervert, to vilify, to fawn at the feet of
	 Mammon and to sell his country and his race for his daily
	 bread. You know it, and I know it, and what folly is this
	 toasting an independent press? We are the tools and the
	 vassals of rich men behind the scenes. We are the jumping
	 jacks. They pull the strings, and we dance. Our talents, our
	 possibilities and our lives are all the property of other men.

	 "We are intellectual prostitutes."
		-- John Swinden, 1953, then head of the New York
		Times, when asked to toast an independent press
		in a gathering at the National Press Club.

More information about the Gnupg-users mailing list