Certification-only key

David Shaw dshaw at jabberwocky.com
Tue Sep 6 17:06:21 CEST 2005

On Tue, Sep 06, 2005 at 01:03:00AM +0200, Lionel Elie Mamane wrote:

> >> I would obviously have at least one data-signing subkey. I presume
> >> these people would take a signature from such as subkey. Or
> >> decryption of a nonce they sent me encrypted to an encryption
> >> subkey.
> > They might, but really shouldn't (I wouldn't).  When you make a
> > certification signature on someone elses key, you're signing the
> > primary key plus the user ID in question.  There is no benefit in
> > receiving a signed challenge from any key other than the primary.
> But that subkey is attached to the primary key by a signature of the
> primary key. Isn't then control of that subkey enough to "prove"
> control of the primary key?
> Unless:
>  1) Signature scheme cryptographically broken. We have a bigger
>     problem.
>  2) Primary key owner has done stupid things, like sharing subkeys
>     with others. But if we assume he has done that, we might as well
>     assume he would sign the challenge a man-in-the-middle attacker
>     has forwarded him or shared his primary key or ...
> Where's the flaw in the reasoning?

The flaw is that #2 is not necessarily a stupid thing to do.  There
are useful things that can be done by having two different keys that
happen to share subkeys.  It's not illegal in OpenPGP to do so.  In
addition, given the current design of signing subkeys, it's possible
to steal a subkey from someone elses key and pretend that their
signature is from you.  (GnuPG has a fix for this from a recent
OpenPGP draft, but I'm waiting for PGP to implement it before I turn
it on).

The real flaw here is accepting a signature from something other than
the object you are signing.  That's one step removed, and therefore


More information about the Gnupg-users mailing list