trust your corporation for keyowner identification?

Paul R. Ramer free10pro at gmail.com
Sun Nov 3 03:08:15 CET 2013


On 11/02/2013 02:25 PM, Leo Gaspard wrote:
> On Sat, Nov 02, 2013 at 11:02:57AM -0700, Paul R. Ramer wrote:
>> Stan Tobias <sttob at privatdemail.net> wrote:
>>> Yes, but by remote communication.  The reasoning goes like this: The
>>> signature is validated by my certificate (or, in case 2a, by my
>>> friends'
>>> whom I trust fully).  The message is authenticated by X's valid
>>> signature,
>>> therefore the message has not been tampered with and its author is X.
>>> X says he uses a new key K2.  Because I've got this message from X,
>>> I have verified the ownership of K2, so I can sign it.
>>
>> Sorry, but this is wrong. The certificate of the first key is valid, the signature of the message is valid, but your correspondent's claim to ownership of the second key is not yet proven. While you know that whoever has control of the first key sent you that message, you have not confirmed that he can decrypt and sign with the second key.
> 
> Isn't the presence of a UID sufficient for this matter ?

No, it is not.  Here is why.  When you verify a key to sign you are
verifying the following:

1) For each UID, that the name is correct and that the purported owner
has control of the email in that UID (possibly also verifying the
comment if it contains something such as "CEO ABC Corporation").
2) That the purported owner has control of the key and can decrypt and
sign messages.

For #1, it is possible that the user has no name or email address in the
UID(s).  Either way, you need to verify the details of the UIDs that you
intend to sign.  For #2, you need to verify the key fingerprint,
algorithm, and key size (but the fingerprint at a minimum) and then have
the user demonstrate that he can decrypt a message encrypted with the
key in question and also sign with it.  This can be done by sending a
message of unknown content (from the purported key owner's perspective)
to him to each email that he claims to have in each of his UIDs
(provided he has any) and require him to reply with a signed copy of the
decrypted message.  This serves to verify the control of the key and the
email addresses.

The reason the presence of a UID on that second key that is in
congruence with UID(s) that you have verified on the first key is not
sufficient is because although the UID may seem good (or maybe even be
identical to the UID(s) on the first key), you have not verified that he
indeed has control of the second key.  While you may feel that the key
*should* be under his control and that there is little chance that it is
not, it does not mean that you have verified his control of that second
key, which means that you have not verified that key.


>> I was commenting on why verification of key details outside of non-secure electronic channels prior to certification  is useful rather than receiving a request electronically for you to certify a person's key and assuming it to be verification enough without using another channel to verify the request and purported key details.
> 
> IMHO, exchanging emails with someone whose key you want to sign is at least as
> important as meeting him / her in person.
> 
> Indeed, a key could have a UID containing only an email address (thus could be
> signed using only an email exchange, by proving the ownership of the email
> address more than any discussion with a pretended email owner), while a UID
> containing only a name would be, IMHO, quite less common, as AFAIK, the most
> common use of PGP is for emails. (Yes, I know, it is not always the case, but
> for the average user it is.)

Verifying the key fingerprint and exchanging encrypted and signed
messages would verify control.  This is true.  You can't verify control
by talking to them in person.

Cheers,

--Paul




More information about the Gnupg-users mailing list