was Re: PGP Key Poisoner // now "Binding one person's subkey to another person's primary key"

vedaal at nym.hush.com vedaal at nym.hush.com
Mon Aug 12 19:09:27 CEST 2019



On 8/12/2019 at 7:28 AM, "Juergen Bruckner via Gnupg-users" <gnupg-users at gnupg.org> wrote:

>Am 11.08.19 um 23:47 schrieb Anonymous Remailer (austria):
>> 
>> https://github.com/skeeto/pgp-poisoner

=====
Here is a quote from the above site:

=====[ begin quoted material ]=====

As far as keyserver weaknesses go, key poisoning attacks are really just scratching the surface. 
For example, did you know other people can bind your subkeys to their primary key?

=====[ end quoted material ]=====

Can this really be done?

(Does not matter so much to me personally, as I grew up with v3 keys, 
and even when using a V4 key, I don't generate a subkey, 
but allow all the functions (sign, encrypt. certify) to be done with the master key).

Does matter a lot if I can't trust the subkey of someone whom I want to encrypt to.

How real is this threat, and is it any threat at all, 
if simply binding the subkey to a different master key, 
won't allow for anyone else other than the 'real' owner, to decrypt messages encrypted to that subkey?

TIA

vedaal




More information about the Gnupg-users mailing list