revoked key - was: Re: key-signing for pseudonyms

David Shaw dshaw at
Sat May 22 02:33:16 CEST 2004

On Tue, May 18, 2004 at 11:37:10AM -0400, Jason Harris wrote:

> But, nobody should sign your new pubkey based on its subkeys, since
> this doesn't prove ownership of the old key material.  Anyone can
> claim those same subkeys as their own by binding them to a pubkey
> they control.  While they can't issue valid signatures from your
> "adopted" signing-capable [sub]keys, and while you could decrypt any
> intercepted traffic for them which was encrypted to your encryption-
> capable "adopted" [sub]keys, it may be enough to generate FUD
> regarding ownership of your key material.

There is an interesting attack against signing subkeys where the
attacker adopts a signing subkey from someone elses key.  As you say,
they cannot issue signatures from this subkey, but the neat bit is
that they can believably claim that documents that you have signed
were in fact signed by them.  Lacking out of band means of
verification, there is no way for a user verifying the signature to
know who really made the signature.

This is fixed in the updated OpenPGP draft, and GnuPG will have the
fix as soon as it is standardized.  (Actually, it already has the fix,
but it's disabled).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 330 bytes
Desc: not available
Url : /pipermail/attachments/20040521/a62d7401/attachment.bin

More information about the Gnupg-users mailing list