revoked key - was: Re: key-signing for pseudonyms
Malte Gell
malte.gell at gmx.de
Sat May 22 05:10:36 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Saturday 22 May 2004 02:33, David Shaw wrote:
> There is an interesting attack against signing subkeys where the
> attacker adopts a signing subkey from someone elses key. As you say,
> they cannot issue signatures from this subkey, but the neat bit is
> that they can believably claim that documents that you have signed
> were in fact signed by them. Lacking out of band means of
> verification, there is no way for a user verifying the signature to
> know who really made the signature.
Does this mean the attacker takes your subkey, puts it on his own key
and now we have two different keys which will verify data you have
signed and a third person can now only guess who really signed the
data ? Frightening...
> This is fixed in the updated OpenPGP draft, and GnuPG will have the
> fix as soon as it is standardized. (Actually, it already has the
> fix, but it's disabled).
In what way does this fix change gpg's behaviour? The only way to
prevent such an attack i can think of is to send some random data to
the person claiming to have signed your stuff and then it gets evident
that he doesn't have the secret part of that subkey. One more reason to
carefully check keys...
Malte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFArsSsGzg12gD8wBYRAo/UAJ9/6dYzpD3WW4VFdYGaleoaMHFnSQCgpJNO
jdnhIkBuJTVrDF1ACRWHTuU=
=KDh4
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list