Houston, we have a problem
Stefan Claas
stefan.claas at posteo.de
Fri Sep 22 10:03:18 CEST 2017
Am 22.09.2017 um 02:37 schrieb Ángel:
> On 2017-09-21 at 23:37 +0200, Stefan Claas wrote:
>> Long ago when we had a discussion here on the Mailing List on
>> how to prevent unwanted signatures i made a proposal that
>> signing someone's public key should work similar to revocation
>> certificates. If you would like to sign my pub key you had to
>> send me a, let's call it, Signature Request Certificate, if i accept
>> it i enter my passphrase and then the Software would extract
>> the needed signature bits from the request cert and add those
>> bits to my pub key. Like i said i'm no programmer and can't
>> therefore test if such a feature proposal would work.
>>
>> Regards
>> Stefan
>
> Nope. This would solve the case of «Key of legitimate user signed by
> fake user»¹ but not «Fake user signed by another fake user», which is
> the problem.
>
>
> ¹ Assuming the legitimate one would notice and not allow his key to be
> signed by the evil one, which is no problem, actually.
>
>
> The proposal would be technically feasible (invalidating all existing
> signatures, and probably conflicting with local sigs, but feasible).
> However, it wouldn't solve the underlying problem.
>
>
Thanks for your insights, much appreciated!
Regards
Stefan
More information about the Gnupg-users
mailing list