On 30/06/17 20:01, Stefan Claas wrote: > Correct. But what i mean was an attacker would replace on of my pub > keys (which i signed) with one he/she only replaced with one that > has only the Trust Level set to Ultimate, resulting in both keys > showing up with a green bar.
And to mitigate this situation, you proposed to colour ultimately trusted keys differently when they are used to sign a message. You proposed this several times in different messages. So let's say your key is A, it's ultimately trusted. And you verified someone's key and signed it; this is key B. Data signatures by key B show up as valid with a green background. Now consider the attacker. You say: he could inject key C, assign ultimate trust to key C and send me messages signed by key C. They would show up as valid. You want them to have a different colour. But instead of that, the attacker could also inject key C into your public keyring and assign ultimate trust to it, and use this key C to certify another key D. The attacker then sends messages signed by key D, and since this key is certified by an ultimately trusted key (C), they will show up as valid with a green background. As key A made data signatures by key B valid and green, key C makes data signatures by D valid and green. The situation is the same. > 5.2.3.13. Trust Signature Page 30 Let's not get into trust signatures, they are a different beast entirely and not pertinent to this discussion. It would just make it even more complicated, and we're having some communication hurdles already. Trust signatures are used to delegate what you normally do by ownertrust to another person, which is sometimes used inside organizations. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
