Signing multiple keys

Nicholas Cole nicholas.cole at gmail.com
Fri Aug 26 23:18:11 CEST 2011 

On Thu, Aug 25, 2011 at 7:21 PM, Doug Barton <dougb at dougbarton.us> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 08/25/2011 11:02, Aaron Toponce wrote:
>> On 08/25/2011 11:56 AM, Jameson Graef Rollins wrote:
>>> Do you want to sign every key in your keyring?  If so, it's not
>>> hard to get gpg to enumerate all of your keys in a
>>> machine-parsable format (see --with-colons output).  If you just
>>> want to sign a subset then you obviously have to enumerate all
>>> the keys yourself, so either of the above solutions seems pretty
>>> easy to me.
>>
>> If I have a public keyring of all the attendees of the party, then
>> I will want to sign every key in that keyring.
>
> The script below is designed for generating challenges as opposed to
> doing the signing, but you may find the bits that iterate the keys on a
> ring interesting.
>
> BTW, this is another one of the reasons that I find the ability to have
> multiple keyrings useful, and would very much miss that functionality if
> it disappeared from gnupg 2.1.
>
>
> http://dougbarton.us/PGP/gen_challenges.html

Dear Doug,

I don't mean this in a negative way, but I struggle to see the point
of such challenges.  The whole point of OpenPGP is the medium across
which email is transmitted is insecure, and there is a possibility of
a MITM attack.  I don't see how this sort of challenge-response does
anything other than confirm that the controller of a key that claims
to belong to a particular email address is also able to intercept and
send messages to and from that address.

The only scenario that it would protect against is where key A claimed
to belong to email address B, but actually did not, and the owner of
key A was actually unable to read messages sent to address B.

In that case, OpenPGP would be providing no security, but the security
of the email system itself would be such that OpenPGP was unnecessary.

To put it another way: if you trust the email network sufficiently for
your challenge to be useful, doesn't that mean you don't need
encryption.

Have I missed something?

Best wishes,

Nicholas

More information about the Gnupg-users mailing list