Houston, we have a problem
Ángel
angel at pgp.16bits.net
Fri Sep 22 02:37:40 CEST 2017
On 2017-09-21 at 23:37 +0200, Stefan Claas wrote:
> Long ago when we had a discussion here on the Mailing List on
> how to prevent unwanted signatures i made a proposal that
> signing someone's public key should work similar to revocation
> certificates. If you would like to sign my pub key you had to
> send me a, let's call it, Signature Request Certificate, if i accept
> it i enter my passphrase and then the Software would extract
> the needed signature bits from the request cert and add those
> bits to my pub key. Like i said i'm no programmer and can't
> therefore test if such a feature proposal would work.
>
> Regards
> Stefan
Nope. This would solve the case of «Key of legitimate user signed by
fake user»¹ but not «Fake user signed by another fake user», which is
the problem.
¹ Assuming the legitimate one would notice and not allow his key to be
signed by the evil one, which is no problem, actually.
The proposal would be technically feasible (invalidating all existing
signatures, and probably conflicting with local sigs, but feasible).
However, it wouldn't solve the underlying problem.
Best
More information about the Gnupg-users
mailing list