Modified user ids and key servers and a possible security risk?

Grant Olson kgo at
Thu Aug 26 05:40:19 CEST 2010

On 8/25/10 10:02 PM, Daniel Kahn Gillmor wrote:
> i think you mean "only add *non-self-sigs* that have a "Third Party
> Confirmation" from the original keyholder". 

Yes, of course.

> Would wide adoption of this kind of confirmation create another angle
> that people could use to "force" signatures on a known text?  If so,
> that might be a concern for digests that are known to have weaker
> collision resistance (e.g. the kind of exploits used in the hashclash
> efforts against MD5 back in Dec 2008 [0]).  Do other people see this as
> a concern?

I don't know if that's an issue.  At least with their attack.  They
weren't able to impersonate an existing CA.  They created a bogus
intermediate certificate, and a normal one that had a hash collision.
Once the normal one was signed by a single lax CA, they could issue
certificates that were recognized worldwide based on many web browser's
default settings.

Since all OpenPGP keys are created equal, and none are trusted by anyone
by default, it's a little harder to exploit.  To use the same exploit,
you'd need to:

(1) Generate a bogus pgp key, for example 'barak at'.

(2) Generate a colliding key for 'joe.sixpack at'.

(3) Get a bunch of people to sign the colliding key, which would
probably involve getting fake identification, etc.

(4) Hope that many of the people signing the key are using MD5.

(5) Hope that many of the people using MD5 are trusted by many OpenPGP
users, GSWOT a member or the PGP Global Directory, or at least someone
in the strong set.

(6) After all that you might (repeat might) be able to get the three
signatures required for a random user to fully trust the bogus key.

(7) Profit...

Compare steps 3, 4, and 5 in the OpenPGP scenario to that one lax X.509
CA that's already trusted by browsers worldwide.  And even then, you'll
only trusted by some (possibly many) OpenPGP users.  You won't get
instant world domination.


"I am gravely disappointed. Again you have made me unleash my dogs of war."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 559 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100825/8f9d914d/attachment.pgp>

More information about the Gnupg-users mailing list