revoked key - was: Re: key-signing for pseudonyms

Malte Gell malte.gell at
Sat May 22 05:10:36 CEST 2004

Hash: SHA1

On Saturday 22 May 2004 02:33, David Shaw wrote:

> There is an interesting attack against signing subkeys where the
> attacker adopts a signing subkey from someone elses key.  As you say,
> they cannot issue signatures from this subkey, but the neat bit is
> that they can believably claim that documents that you have signed
> were in fact signed by them.  Lacking out of band means of
> verification, there is no way for a user verifying the signature to
> know who really made the signature.

Does this mean the attacker takes your subkey, puts it on his own key 
and now we have two different keys which will verify data you have 
signed and a third person can now only guess who really signed the 
data ? Frightening...

> This is fixed in the updated OpenPGP draft, and GnuPG will have the
> fix as soon as it is standardized.  (Actually, it already has the
> fix, but it's disabled).

In what way does this fix change gpg's behaviour? The only way to 
prevent such an attack i can think of is to send some random data to 
the person claiming to have signed your stuff and then it gets evident 
that he doesn't have the secret part of that subkey. One more reason to 
carefully check keys...

Version: GnuPG v1.2.4 (GNU/Linux)


More information about the Gnupg-users mailing list