[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Back-signatures, part II
I just checked over my notes about back-signatures, and there was a
second proposal to solve the same problem. For completeness, here is
the other proposal.
To repeat the problem: it is possible for an attacker to take a
signing subkey from a victim's key and attach this signing subkey to
the attacker's own key. The attacker does this by issuing a new
binding signature on the subkey from his own primary key. The end
result is that a signature issued by this signing subkey may be
claimed to be from either the attacker or the victim.
Second proposed solution: on all signatures issued by a signing
subkey, include a copy of the fingerprint of the primary key that
"owns" this subkey. An attacker cannot issue signatures from the
stolen subkey at all, so is foiled.
1) Define a new type of signature subpacket that consists of a
2) Include it on all subkey signatures as a hashed subpacket. (It
must be hashed to be effective).
1) Unlike the subkey-signs-primary key solution, old signatures issued
before this back-signature protection became available are NOT
2) Like the other solution, this does not require generating a new
3) Like the other solution, this uses a signature subpacket so there
should be no backward compatibility problems.
4) This is simpler than the other solution in several ways (less code
to do it, for one, does not require the key to be modified and
redistributed, for two).
5) This is likely to be faster than the other solution, as it only
requires two signature verifications (the data in question plus the
subkey binding signature) rather than three (the data in question,
the subkey binding signature, and the back-signature).
6) It will no longer be possible to issue a v3 signature from a
signing subkey. I don't see this as a major problem since the
older programs that don't understand v4 signatures don't
understand signatures from signing subkeys anyway.
Comparing the two proposals seems to be a wash. Back-signatures are a
bit slower, but protect existing signatures. Including a fingerprint
is a bit faster, but does not protect existing signatures.
Perhaps speed and simplicity should win out here. Speaking as someone
who regularly uses a signing subkey, I don't particularly care if my
old signatures are protected or not. I obviously can't speak for
everyone using a signing subkey though.
Again, comments welcome.