revoked key - was: Re: key-signing for pseudonyms

Sun May 23 06:28:58 CEST 2004

On Sat, May 22, 2004 at 11:03:34PM -0400, Jerry Windrel wrote:
> David Shaw writes:
> >There is an interesting attack against signing subkeys where the
> >attacker adopts a signing subkey from someone elses key.  As you
> >say, they cannot issue signatures from this subkey, but the neat bit
> >is that they can believably claim that documents that you have
> >signed were in fact signed by them. 
> 
> Isn't there also a simpler attack that achieves the same result
> without resorting to subkeys?
> 
> Alice publishes her legitimate public key.  Mallet can obtain Alice's
> public key, replace Alice's name with his own (i.e. Mallet), then go
> to a key signing or notary, etc. and show his I.D. along with the
> public key's fingerprint.  Thus he could get lots of signatures
> attesting that Alice's public key really belongs to Mallet.  He could
> then claim documents signed by Alice were really signed by him
> (Mallet).

These are two different attacks.  The subkey attack allows Mallet to
verify Alice's signatures in such a way that there is no way to tell
if Mallet or Alice made the signature.  This is a technical flaw in
the protocol.

What you are talking about is an identity problem.  The fact that
Mallet could get signatures on Alice's key is a social problem.
People who sign keys without checking what they sign are not very
responsible signers.  The web of trust - in theory - deals with these
people by gradually removing their trust.

> Some signers guard against this attack by sending the signed copy of
> public keys to their owners, encrypted to them, instead of uploading
> them directly to key servers.  That ensures that their signature will
> only be able to be used by the legitimate owner of the public key. 
> But not everyone follows this precaution.

That method is very close to being correct, but not completely correct
for OpenPGP keys (it's fine for PGP 2.x keys).  For OpenPGP keys, it
is slightly better to issue a random challenge and have the key owner
prove their ownership of the key by signing your challenge.

Remember that in OpenPGP, when you "sign a key" you are really signing
the primary key (i.e. the signing key) plus the user ID.  There is no
guarantee that a user either has a encryption subkey or has the
capability to use an existing encryption subkey.  Best to prove the
item that you are actually signing.

> >This is fixed in the updated OpenPGP draft, and GnuPG will have the
> >fix as soon as it is standardized.
> 
> Can you describe the fix?  Would this fix also address the simpler
> attack I outlined here?

The fix is fairly simple conceptually.  Just have the signing subkey
issue a signature on the primary key.  Mallet could not issue such a
signature.  It does not address the attack you mention.  That attack
is a social problem, and is thus resistant to technical solution.

David