Migrating keys (fwd)

Atom 'Smasher' atom-gpg at suspicious.org
Sat Nov 29 18:44:11 CET 2003


> > i'm not trying to say that signing someone else's key is a certification
> > that their sub-key(s) are authentic (i'm actually trying to point out
> > where that common assumption breaks down), but it's generally considered
> > to be the case, and the current trust model doesn't complain when that
> > assumption is made.... in fact, the current trust model helps people feel
> > comfortable making that [false] assumption.
> >
> > although a 3rd party signature really does bear no relationship to the sub
> > key(s), most of us consider it convenient to think that it does.
>
> Don't.
>
> I've never met anyone who believed this, but rather than spending a
> lot of time and effort to try and change the standard to remove
> something that is a significant *feature* of the standard.... why not
> just accept how things actually work?
====================

the confusion continues.... i think that most users, esp new users, to
PGP/GPG don't understand that alice's signature on bob's key is *ONLY*
vouching for bob's signing key, *NOT* bob's encryption key(s). i think
most users, and especially most new users, don't really understand about
sub-keys.

it's not that i'm complaining about the system, rather, i'm complaining
about how the system fits into the way people *think* the system works. i
would expect that most people _on_this_list_ know more about the system
than the general public, and i'm basing many of my assumptions on the way
that [i think] the general public looks at this system.

the two questions that remain are:
 1) is there a way to not only trust, but verify someone's sub-key?
is there an easy and/or standardized way for bob to meet with alice and
allow them both to verify each other's sub-keys? they can do this for
their signing keys by exchanging and confirming their key types, sizes and
fingerprints, but i don't know of any application that generates
fingerprints of sub-keys.

 2) if we trust that bob's signing key has not been compromised, is there
a difference between accepting a new key because bob adds a new sub-key to
his public-key; and accepting a new key because bob sent a signed email
that instructs us to do so. in both cases, bob's old key (that we trust)
has signed his new key (which we might not trust, yet). how do i know that
the new key bob generated is the same new key that i think is his new key?
if bob's signing key has been compromised, i could have a new key "from
bob" that's not the same key that bob generated. is this type of attack
likely? i really don't think so, but the question remains.... is there a
(quick, easy and painless) way that me and bob can be sure that we're both
talking about the same sub-key?

looking at rfc 2440 (11.2) it looks like an application should be able to
generate fingerprints for sub-keys. for some applications, it's good
enough enough to trust... other times things should be verified.


	...atom

 _______________________________________________
 PGP key - http://smasher.suspicious.org/pgp.txt
 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3
 -------------------------------------------------

	"They that can give up essential liberty to obtain a little
	 temporary safety deserve neither liberty nor safety."
		-- Benjamin Franklin




More information about the Gnupg-users mailing list