Q: Local keyring security, attacks and lsign

Richard Laager rlaager at wiktel.com
Mon Sep 6 19:56:32 CEST 2004 

On Mon, 2004-09-06 at 06:38, Stewart V. Wright wrote:
> This comes back to the concept that you can trust that all signatures
> from a certain key are made by someone with control of that key,
> _without_ knowing anything about the ownership of the key.  Someone (a
> Deep-Throat for example) may wish their identity to remain unknown,
> but publish verifiable messages.

There are two sides to this issue:

1. I wish to remain anonymous, but publish verifiable messages.

Obviously, I'm going to generate a key pair and sign all of my messages
with the private key. I know that as I build up an "integrity" record
(with regard to my published messages/articles/whatever), people will
begin to find my signatures valuable: They will have the ability to
recognize a new message as having been written by the same author as the
historical messages they trusted.

The OpenPGP format basically requires that some sort of user ID is
generated for a given key. What name do I put on the key? Let's start
with the easiest. Am I going to use the same real e-mail address for all
(or most) of these messages? If so, I'll put the e-mail address on the
key. If I'm not using a real e-mail address (or e-mail addresses aren't
applicable to these communications), my best bet is to make up a
pseudonym and use that on the key and as my signature.

2. I wish to verify the messages from someone else who wishes to remain
anonymous and is following the procedures listed in #1.

A while back, I was part of a discussion about keysigning practices. I
forget which mailing list it was. I held that signing a key is based on
the signer's knowledge that the key is held by the person _the signer
believes_ is the person represented by the User ID. For example, if PGP
existed back when Samuel Clemens was publishing books under the name
"Mark Twain", I would've had no problem signing his key with a user ID
of "Mark Twain <mark at marktwain.com>". According to my signature policy,
I would give that key a 0x12 signature. I only issue 0x13 after checking
a government identity document. Under this policy, I would be willing to
sign (after some sort of verification), the key from #1 with the
pseudonym.

The point I'm making here is that it's possible for a key to be in WoT
that exists to link anonymously published articles together.

Slightly off the topic, as an interesting exercise, one could publish a
series of articles completely anonymously, signing them with separate
signing subkeys. Later, if one wanted to link some/all together, a
public key could be released with the appropriate subkeys bound to it.
(Back-signatures from the subkeys to the primary key would be required
for this to be trustworthy.)

> How does one protect a key on your
> keyring without having a valid WOT to it?

If a key is not in the WoT and you've imported it and wish to "protect"
it, the easiest way to do this is to sign it locally and set the owner
trust according (which will probably be that you do not trust the
owner). This way, GPG will show document signatures as valid, but will
not cause other potentially untrusted keys to become valid. In your
example, you need to trust that Werner is signing a good copy of the
GnuPG source code. However, you may not want to trust him to make key
signatures. (This is a purely academic statement, applied to the example
of Werner because that's what your posting used. I'm not in any way
suggesting he's not trustworthy for signing keys.)

Now, why would you want to sign (locally or otherwise) a key which you
could not be sure belonged to the owner? If you have not verified the
key, you should probably let GPG scream at you about the key being
untrusted because it is. You don't want to forget that later. However,
local signatures are useful when you've done some verification like 1)
checking that the key you have matches the fingerprint of Werner's key
in e-mails, etc. 2) you've decided to trust the path from your key to
his (when such a path exists). By locally signing the key and setting
the trust to nothing, you can avoid having to "tweak" the trust levels
of others to make his key valid, thus avoiding the problem you mentioned
(other people's keys becoming valid as a side effect).

Now, I'd like to caution you in this whole exercise. This sort of
"protection" would be very important if you keep your public keyring on
a USB key fob, for example. Someone could steal it and change public
keys. The key signatures from your key would allow you to detect such a
change, provided that your configuration file was not tampered with and
specified your key as the only ultimately trusted key.

However, in your case, you said that you're using a relatively public
machine. You also said that root could tamper with your keyrings. In
such a case, there's nothing to stop root from tampering with your GPG
executable to do anything he or she wants.

Richard Laager

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : /pipermail/attachments/20040906/5f9a5ea2/attachment-0001.bin

More information about the Gnupg-users mailing list