was Re: PGP Key Poisoner // now "Binding one person's subkey to another person's primary key"
vedaal at nym.hush.com
vedaal at nym.hush.com
Mon Aug 12 19:09:27 CEST 2019
On 8/12/2019 at 7:28 AM, "Juergen Bruckner via Gnupg-users" <gnupg-users at gnupg.org> wrote:
>Am 11.08.19 um 23:47 schrieb Anonymous Remailer (austria):
>>
>> https://github.com/skeeto/pgp-poisoner
=====
Here is a quote from the above site:
=====[ begin quoted material ]=====
As far as keyserver weaknesses go, key poisoning attacks are really just scratching the surface.
For example, did you know other people can bind your subkeys to their primary key?
=====[ end quoted material ]=====
Can this really be done?
(Does not matter so much to me personally, as I grew up with v3 keys,
and even when using a V4 key, I don't generate a subkey,
but allow all the functions (sign, encrypt. certify) to be done with the master key).
Does matter a lot if I can't trust the subkey of someone whom I want to encrypt to.
How real is this threat, and is it any threat at all,
if simply binding the subkey to a different master key,
won't allow for anyone else other than the 'real' owner, to decrypt messages encrypted to that subkey?
TIA
vedaal
More information about the Gnupg-users
mailing list