revoked key - was: Re: key-signing for pseudonyms

Jerry Windrel jerry.windrel at
Sun May 23 05:03:34 CEST 2004

Hash: SHA1

David Shaw writes:
>There is an interesting attack against signing subkeys where the
>attacker adopts a signing subkey from someone elses key.  As you
>say, they cannot issue signatures from this subkey, but the neat bit
>is that they can believably claim that documents that you have
>signed were in fact signed by them. 

Isn't there also a simpler attack that achieves the same result
without resorting to subkeys?

Alice publishes her legitimate public key.  Mallet can obtain Alice's
public key, replace Alice's name with his own (i.e. Mallet), then go
to a key signing or notary, etc. and show his I.D. along with the
public key's fingerprint.  Thus he could get lots of signatures
attesting that Alice's public key really belongs to Mallet.  He could
then claim documents signed by Alice were really signed by him

Some signers guard against this attack by sending the signed copy of
public keys to their owners, encrypted to them, instead of uploading
them directly to key servers.  That ensures that their signature will
only be able to be used by the legitimate owner of the public key. 
But not everyone follows this precaution.

>This is fixed in the updated OpenPGP draft, and GnuPG will have the
>fix as soon as it is standardized.

Can you describe the fix?  Would this fix also address the simpler
attack I outlined here?

Version: PGP 8.0.3 - not licensed for commercial use:


More information about the Gnupg-users mailing list