Migrating keys (fwd)

David Corbett dec at io.com
Thu Nov 27 17:11:11 CET 2003 

On Thursday, Nov 27, 2003, at 16:13 US/Pacific, David Shaw wrote:
>> i knew this would get confusing....
>>
>> let's see... bob has his key signed by alice. i know alice, and i 
>> trust
>> her signature on bob's key. then bob goes and get's abducted by 
>> aliens (or
>> the mob, MIB, etc) and they have enough computing power to recover his
>> 1024 signing key, but not his 2048 encryption key. (or, maybe bob was 
>> just
>> using one of the faulty ElGamal keys as a primary key?)
>>
>> now, the aliens (or the mob, MIB, etc) set their computer's clock to 
>> some
>> time *before* alice's signature (setting the time to the past is 
>> optional,
>> but may be useful in some circumstances). then they generate a new
>> encryption sub-key and (self) sign it with bob's signing key, 
>> pretending
>> to be bob. if they set their clock back, it would appear that the new
>> sub-key was known to alice (who i trust).
>
> No.  When you sign a key, you sign the primary, and you sign a user
> ID.  You do not sign a subkey, and thus you are not making a statement
> in any way, shape, or form about the number, quality, or otherwise of
> the subkeys.  Don't read too much into what a key signature means.
> Key signatures have exactly nothing to do with subkeys.

And, to complete the story, since THEM broke the signing key, THEM can 
imitate Bob's signature to their heart's content and you will believe 
the lie (and so will Alice) until a mistake is made and someone draws 
attention to that with a revoke.  The advantage to THEM in creating the 
new sub-key is only to tempt you not to use the old one (which THEM 
cannot decrypt) & thus reduce the chance that you will find the error 
before Alice does.

Morals:
(1) Gpg cannot protect against a compromised key until somebody knows 
that it has been compromised.  If it could, there would be no need to 
revoke type 20 ElGamals.
(2) Alice can only warrant that she checked Bob's identity to match the 
key.  It says nothing about who else has access to that key.  The 
scenario remains the same if Bob voluntarily gives his key to THEM 
before getting it signed by Alice.

-dec

More information about the Gnupg-users mailing list