Keys without signatures

Maria Lukas van den Berg maria.l.vandenberg at
Sun Mar 5 16:23:33 CET 2006

Dear All,

I was wondering about the following application of keys 
without signatures on the public key (except the auto- 
matically generated self-sig).

Assume that I create a keypair A and sign my Usenet postings 
using A. I do not want to rely on any signatures on the 
public key of A. Instead I define my identity via the 
postings I make. This means that after I published postings 
P_1 to P_n, I want to be able to do a posting P and by a 
signature on P to prove that P was posted by the same person
who also posted P_1 to P_n, i.e., me. (Unless my private key 
and passphrase got compromised.)

I am aware that no-one can practically generate a signature 
for some posting that will validate against the public key 
of A. This is the one component I need for my scheme.

However, there is a second requirement. No-one should be 
able to create a second keypair B

- which has the same key ID as A,
- where signatures made with A validate against the public 
  key of B.

If such a key B existed, a reader not having the public key 
of A could be tricked into thinking a posting signed by B 
originates from the same person who also signed postings P_1 
to P_n, because the signatures on *all* of those postings 
validate against the public key of B.

Am I on the right track so far in recognizing the possible 
weaknesses of my scheme?

If so, is it practically possible to create such a key B?

If so, what measures could be taken to enhance my scheme?

How about publishing with every posting P_1 to P_n the 
fingerprint of A? At least a watchful receipient would then 
realize that key B is not the right one for checking the 
signatures on postings P_1 to P_n. That's unless the 
attacker succeeds in creating a key B which also has the 
same fingerprint as A. Is this practically doable?

And, asking further, how can I make it as hard as possible 
to create a key with the same fingerprint as A? Is the 
length of the key an issue? Would it, e.g., be more secure 
to create a 4096 bit RSA key instead of a 1024 bit DSA key?

Thanks a lot for your answers and suggestions!
If there is a mailing list where these topics would fit 
better, I'd also be interested to ask there.

Best regards, Luke.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 177 bytes
Desc: not available
Url : /pipermail/attachments/20060305/11e504e5/attachment.pgp

More information about the Gnupg-users mailing list