At 05:08 PM 10/29/2003 -0500, Michael Young wrote:
Trevor Perrin wrote (in another message): > I don't want to re-confuse an issue you've just clarified, but > here's a generalization of the second proposal that might be worth > considering: > > You could include in *every* signature a subpacket that contains a > hash of *all* enclosing context. By "enclosing context" I mean > the key packet for the primary key, along with its > self-signatures, and the key packet for the subkey as well (if the > signing key is a subkey) along with the subkey binding signature. This would add yet another impediment to rewriting self-signatures (or binding signatures). To permit rewriting, you'd have to keep all past versions (and try each one at verification time) or copy that material into the signature.
Good point - you'd only want to include context that won't get invalidated by re-issued signatures. So I guess we could change the proposal to only cover key packets, not signature packets, without losing too much:
Proposal: Include in every signature a hashed subpacket that contains a hash of the relevant key packets. The relevant key packets are the primary key packet if the signing key is a primary key, or the primary key *and* subkey packets if the signing key is a subkey.
This stops these 3 manipulations:- issuing a subkey signature to someone else's key, and claiming their signatures - changing the primary key that a signature performed by a re-used subkey belongs under
- an attacker generating a new key that verifies someone else's signature Trevor