back signatures

Christoph Anton Mitterer cam at mathematica.scientia.net
Thu Nov 10 21:00:56 CET 2005 

David Shaw wrote:

>>And what is the "theory" behind them,... e.g. how do they improve security?
>>    
>>
>Current signing subkeys have a weakness in that they can be moved from
>one key to another without the key owner's approval.
>
>This means that if I sign a message with a signing subkey, someone
>else can lift the (public) signing subkey off of my key, attach it to
>theirs, and issue a new binding signature for it.  This person can
>then claim to be the person who signed the message.
>  
>
Ah,... I see,.. but is this problem only limited to signing subkeys? It 
should be, right? Because the primary is protected by the selfsigned 
user id? Or is there another reason? (just want to check if I'm slowly 
understand how all these things work :-D )

btw: You remember my C-only thread (I'll answer you lastest posts 
soon),... I played around a bit and read some parts of rfc2440.
Ok when I split a key using gpgsplit I get about the following:
pubkey
uid
selfsig on uid (Sig type - Positive certification of a User ID and 
Public Key packet(0x13))
subkey
selfsig on subkey (Sig type - Subkey Binding Signature(0x18))

Ok,.. the 0x18 signature ist the one that binds the sub to the primary.
=>so nobody can add his own subkey to my primary because he wouldn't be 
able to make a subkey binding sig, correct?
=>but he is able do take my subkey and remove my 0x18 and add his one 
(that is where your back sig come into the game, correct?)

Is it correct that the primary has not directly a single self sig 
packet, but rather 0x13s are used therefor? If so,.. what is 0x1F 
(signature direct on key) used for? I thought this is used for primary 
selfsigs.


>Note that this person doesn't have the secret key or the passphrase -
>they can't issue NEW signatures.  They can only claim to be the signer
>for existing signatures.  They also can't stop the original signer
>from claiming ownership.  If it comes down to two people, both
>claiming they issued a particular signature, just ask them both to
>sign a challenge (a different challenge for each).  The impostor won't
>be able to.
>
>Anyway, back signatures avoid all that by adding a signature from the
>signing subkey on the primary key.  This proves that the owner of the
>signing subkey is not an impostor, since the impostor could not issue
>such a signature.
>  
>
Ah,.. ok,.. than backsignatures are VERY IMPORTANT, aren't they? And 
everybody should add them to existing keys....
Will gnupg and other clients autmatically indicate if an signing subkey 
has no backsig?


Best wishes, Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cam.vcf
Type: text/x-vcard
Size: 449 bytes
Desc: not available
Url : /pipermail/attachments/20051110/e449e084/cam.vcf

More information about the Gnupg-users mailing list