revoked key - was: Re: key-signing for pseudonyms

[David Shaw]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, May 22, 2004 at 05:10:36AM +0200, Malte Gell wrote:
> On Saturday 22 May 2004 02:33, David Shaw wrote:
> 
> > There is an interesting attack against signing subkeys where the
> > attacker adopts a signing subkey from someone elses key.  As you say,
> > they cannot issue signatures from this subkey, but the neat bit is
> > that they can believably claim that documents that you have signed
> > were in fact signed by them.  Lacking out of band means of
> > verification, there is no way for a user verifying the signature to
> > know who really made the signature.
> 
> Does this mean the attacker takes your subkey, puts it on his own key 
> and now we have two different keys which will verify data you have 
> signed and a third person can now only guess who really signed the 
> data ? Frightening...

Exactly, yes.

> > This is fixed in the updated OpenPGP draft, and GnuPG will have the
> > fix as soon as it is standardized.  (Actually, it already has the
> > fix, but it's disabled).
> 
> In what way does this fix change gpg's behaviour? The only way to 
> prevent such an attack i can think of is to send some random data to 
> the person claiming to have signed your stuff and then it gets evident 
> that he doesn't have the secret part of that subkey. One more reason to 
> carefully check keys...

Currently, the main key signs all subkeys.  The fix is that signing
subkeys sign the main key as well.  Since an attacker who "steals" the
subkey cannot issue this back-signature, it is very obvious that the
attacker key is fraudulent.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc

iHEEARECADEFAkCuyOsqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk
L2tleXMuYXNjAAoJEOJmXIdJ4cvJHV8An1URyBFrwT29FTPKoGUv/sDcc1I7AJ9f
eZU+HdG9X4U2gIgxqp9R+ANddA==
=bfVz
-----END PGP SIGNATURE-----