David Shaw wrote:
And what is the "theory" behind them,... e.g. how do they improve security?
Current signing subkeys have a weakness in that they can be moved from
one key to another without the key owner's approval.
This means that if I sign a message with a signing subkey, someone
else can lift the (public) signing subkey off of my key, attach it to
theirs, and issue a new binding signature for it. This person can
then claim to be the person who signed the message.
Ah,... I see,.. but is this problem only limited to signing subkeys? It
should be, right? Because the primary is protected by the selfsigned
user id? Or is there another reason? (just want to check if I'm slowly
understand how all these things work :-D )
btw: You remember my C-only thread (I'll answer you lastest posts
soon),... I played around a bit and read some parts of rfc2440.
Ok when I split a key using gpgsplit I get about the following:
pubkey
uid
selfsig on uid (Sig type - Positive certification of a User ID and
Public Key packet(0x13))
subkey
selfsig on subkey (Sig type - Subkey Binding Signature(0x18))
Ok,.. the 0x18 signature ist the one that binds the sub to the primary.
=>so nobody can add his own subkey to my primary because he wouldn't be
able to make a subkey binding sig, correct?
=>but he is able do take my subkey and remove my 0x18 and add his one
(that is where your back sig come into the game, correct?)
Is it correct that the primary has not directly a single self sig
packet, but rather 0x13s are used therefor? If so,.. what is 0x1F
(signature direct on key) used for? I thought this is used for primary
selfsigs.
Note that this person doesn't have the secret key or the passphrase -
they can't issue NEW signatures. They can only claim to be the signer
for existing signatures. They also can't stop the original signer
from claiming ownership. If it comes down to two people, both
claiming they issued a particular signature, just ask them both to
sign a challenge (a different challenge for each). The impostor won't
be able to.
Anyway, back signatures avoid all that by adding a signature from the
signing subkey on the primary key. This proves that the owner of the
signing subkey is not an impostor, since the impostor could not issue
such a signature.
Ah,.. ok,.. than backsignatures are VERY IMPORTANT, aren't they? And
everybody should add them to existing keys....
Will gnupg and other clients autmatically indicate if an signing subkey
has no backsig?
Best wishes, Chris.
begin:vcard
fn:Mitterer, Christoph Anton
n:Mitterer;Christoph Anton
org:Munich University of Applied Sciences;Department of Mathematics and Computer Science
adr;quoted-printable;quoted-printable:;;Lothstra=C3=9Fe 34;M=C3=BCnchen;Freistaat Bayern;80335;Federal Republic of Germany
email;internet:[EMAIL PROTECTED]
tel;home:+49 89 24409568
tel;cell:+49 172 8617341
x-mozilla-html:TRUE
url:http://fhm.edu/
version:2.1
end:vcard
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
