Re: Resolving multiple primary user IDs and self-signatures
David Shaw <dshaw@akamai.com> Sat, 25 August 2001 14:58 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA12240 for <openpgp-archive@odin.ietf.org>; Sat, 25 Aug 2001 10:58:47 -0400 (EDT)
Received: by above.proper.com (8.11.6/8.11.3) id f7PEikI01690 for ietf-openpgp-bks; Sat, 25 Aug 2001 07:44:46 -0700 (PDT)
Received: from claude.kendall.akamai.com (walrus.ne.mediaone.net [65.96.217.45]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f7PEijD01686 for <ietf-openpgp@imc.org>; Sat, 25 Aug 2001 07:44:45 -0700 (PDT)
Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.9.3/8.9.3) id KAA09099; Sat, 25 Aug 2001 10:44:36 -0400
Date: Sat, 25 Aug 2001 10:44:36 -0400
From: David Shaw <dshaw@akamai.com>
To: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>
Cc: ietf-openpgp@imc.org
Subject: Re: Resolving multiple primary user IDs and self-signatures
Message-ID: <20010825104436.A7901@akamai.com>
Mail-Followup-To: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>, ietf-openpgp@imc.org
References: <20010824135632.A2183@akamai.com> <tgpu9kgzrb.fsf@mercury.rus.uni-stuttgart.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <tgpu9kgzrb.fsf@mercury.rus.uni-stuttgart.de>; from Florian.Weimer@RUS.Uni-Stuttgart.DE on Sat, Aug 25, 2001 at 01:11:52PM +0200
X-PGP-Key: 2048R/3CB3B415/4D 96 83 18 2B AF BE 45 D0 07 C4 07 51 37 B3 18
X-URL: http://www.jabberwocky.com/
X-Phase-Of-Moon: The Moon is Waxing Crescent (47% of Full)
X-Pointless-Random-Number: 46
X-Silly-Header: It sure is.
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
On Sat, Aug 25, 2001 at 01:11:52PM +0200, Florian Weimer wrote: > > David Shaw <dshaw@akamai.com> writes: > > > Here are two suggestions to help with resolving multiple user IDs > > marked primary, as well as resolving multiple self-signatures with > > different subpackets: > > This should probably go into a separate RFC. Currently, RFC 2440 and > RFC 2440bis deal only with syntactic issues (apart from a minor glitch > in RFC 2440bis, 'A revoked certification no longer is a part of > validity calculations.'). True, and it even says that in the Abstract. There is an exception made for security issues: "It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws." Offhand, I can't think of a security implication to having multiple UIDs marked primary (though I'm sure someone here can). My concern is with the security implications of having multiple conflicting self-signatures. Without some suggested way to resolve the conflict, there can be security implications. If it is truly a security issue, then it is appropriate in 2440bis. (Obviously, I think it's enough of a security issue to mention - I'd like to hear what others think.) Self-signatures can carry subpackets that definitely affect the actions that may be taken with a key. To use one of my examples from last night, if/when a symmetric cipher or hash is broken, the user can simply announce that cipher or hash is not accepted (via a "preferred symmetric algorithms" or "preferred hash algorithms" subpacket). Without a way to resolve which self-signature is the one to follow, the broken cipher or hash may be used, which could compromise the security of the message. > On the other hand, If such additions are accepted, I've got a long > list of them... Care to work on a "Implementation Suggestions for OpenPGP" with me? David -- David Shaw | Technical Lead <dshaw@akamai.com> | Enterprise Content Delivery 617-250-3028 | Akamai Technologies
- Resolving multiple primary user IDs and self-sign… David Shaw
- Re: Resolving multiple primary user IDs and self-… Florian Weimer
- Re: Resolving multiple primary user IDs and self-… David Shaw
- Re: Resolving multiple primary user IDs and self-… Florian Weimer