| 1 |
On Sat, May 20, 2006 at 03:21:13PM +0200, Jan Kundr?t wrote: |
| 2 |
> I don't know much about cryptography, but could you please elaborate on |
| 3 |
> why is using one subkey for all the stuff considered a Bad Thing? |
| 4 |
The basic form of it, is a vulnerability towards a class of attacks that |
| 5 |
require a large supply of signed/encrypted material. |
| 6 |
For a primer on various modes of using block ciphers, see |
| 7 |
Wikipedia: http://tinyurl.com/bbcmf |
| 8 |
|
| 9 |
It's conceivable that (and this is the absolute worst case), under this |
| 10 |
class of attack, a lot of signing may ultimately reveal bits of your |
| 11 |
key, because the attacker has both the plaintext and ciphertext, and can |
| 12 |
ultimately compute it - this can either be brute-force, or |
| 13 |
mathematically (consider it solving algebra). |
| 14 |
|
| 15 |
> Off-topic question - I've already met Alice, verified her identity, |
| 16 |
> signed her keys and now she wants me to sign her new subkey with same |
| 17 |
> name, e-mail etc because the old one has expired. Alice lives in Canada |
| 18 |
> so I can't meet her easily. Should I sign it again with the same level |
| 19 |
> of "trust"? |
| 20 |
I think you missed something in my original email, namely that you don't |
| 21 |
sign subkeys, you sign uids. |
| 22 |
|
| 23 |
Since uids don't expire that part is irrelevant, but they can be revoked |
| 24 |
- then this becomes the same as bob's case below. |
| 25 |
|
| 26 |
Note: |
| 27 |
Unless you are using the 'tsign' command under GnuPG, the trust question |
| 28 |
it asks you is only for it's local database, and is NOT included with |
| 29 |
the exported keys that are sent to keyservers or other users. So let's |
| 30 |
assume you are using tsign as well. |
| 31 |
|
| 32 |
> Another situation - Bob, Alice's boyfriend, lives in Canada. I've met |
| 33 |
> him before, verified his identity and signed his subkey for |
| 34 |
> bob@××××××.com. Now he wants my signature for bob@×××××××.org. Should I |
| 35 |
> sign it? |
| 36 |
Actual answer: |
| 37 |
You'll need to rely on your discretion a bit, but you can narrow down |
| 38 |
the possibilities for attacks by following a specific process (and there |
| 39 |
is a package that makes this much easier, but it's only available in |
| 40 |
Debian's SVN at the moment http://tinyurl.com/ggueq). |
| 41 |
0. Bob sends you a request about his new uid, signed with his key that |
| 42 |
you can verify. |
| 43 |
1. Sign the new uid, and export the uid signature to a file. |
| 44 |
2. Delete the signature from your keyring, you don't want it trusted yet |
| 45 |
(you can avoid this is you have a temp clone of your keyring). |
| 46 |
3. Send Bob an encrypted email, with the uid signature file attached. |
| 47 |
4. Bob needs to be able to decrypt the email using his GnuPG - thus |
| 48 |
associating the email address listed in his key with his key - if she |
| 49 |
can't decrypt the email - she's an imposter that has taken over the |
| 50 |
email account. |
| 51 |
|
| 52 |
-- |
| 53 |
Robin Hugh Johnson |
| 54 |
E-Mail : robbat2@g.o |
| 55 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
Archives