IETF Logo Mail Archive

Re: Signature calculation language

hal@finney.org ("Hal Finney") Tue, 11 October 2005 22:32 UTC

Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EPSfR-0002G9-FJ for openpgp-archive@megatron.ietf.org; Tue, 11 Oct 2005 18:32:17 -0400
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA07713 for <openpgp-archive@lists.ietf.org>; Tue, 11 Oct 2005 18:32:13 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j9BMO0qO041177; Tue, 11 Oct 2005 15:24:00 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j9BMO00W041176; Tue, 11 Oct 2005 15:24:00 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j9BMNsff041166 for <ietf-openpgp@imc.org>; Tue, 11 Oct 2005 15:23:59 -0700 (PDT) (envelope-from hal@finney.org)
Received: by finney.org (Postfix, from userid 500) id 0352B57EF9; Tue, 11 Oct 2005 15:25:00 -0700 (PDT)
To: dshaw@jabberwocky.com, ietf-openpgp@imc.org
Subject: Re: Signature calculation language
Message-Id: <20051011222500.0352B57EF9@finney.org>
Date: Tue, 11 Oct 2005 15:25:00 -0700
From: hal@finney.org
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

David Shaw writes:
> Wondering - should the embedded 0x19 signature be a MUST?  Lacking a
> 0x19 allows the signing subkey to be "stolen" onto another primary
> key.

To remind readers, the 0x19 signature is issued by signing subkeys on
top-level keys, so that we have two-way binding.  The top key signs the
subkey and the subkey signs the top key, so each key agrees that they
belong together in a pair.

The problem is that if it is not a MUST, someone who does create
such a 0x19 back signature to bind his subkey is still at risk of it
being stolen.  The thief would bring just the subkey over and put a new
signature on it by his top key, and there would be no sign of the 0x19
signature the victim had created to try to stop this theft.  There would
be no 0x19 signature on the new key, but if it is not a MUST then we
might have to assume that this was just a choice by the key holder not
to create one.

So it does seem like it must be a MUST in order to be an effective
deterrent.

One possible problem is if there is any substantial set of signing subkeys
in use that don't have the 0x19 signature.  Signatures issued by those
keys might become invalid.  I don't think we have any from pgp.com,
we did not previously support signing subkeys.

Hal Finney

v2.23.0 | Report a Bug | By Email