Re: Keys without signatures


David Wagner <daw@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Maria Lukas van den Berg wrote:
Assume that I create a keypair A and sign my Usenet postings
using A. I do not want to rely on any signatures on the
public key of A. Instead I define my identity via the
postings I make. This means that after I published postings
P_1 to P_n, I want to be able to do a posting P and by a
signature on P to prove that P was posted by the same person
who also posted P_1 to P_n, i.e., me. (Unless my private key
and passphrase got compromised.)

In theory, this is impossible. An adversary might intercept your
postings, strip off your signature, sign it himself, and post.

Yes. However, that's something which I can check to some
extent if it has happened or not. After posting, I download
the articles myself from a server and then check the sig-
nature. An attacker would have to intercept my posting *again*
and change it back, so that I would not notice.

I can live with this possibility.

In practice, including your public key in the content that is signed
would seem like it would prevent a passive attacker (who does not
actively modify your original postings P_1 .. P_n) from mounting the
kind of attack you mention -- but anything you do is going to be based
on assumptions about the adversary that cannot be guaranteed.

Yes, publishing the whole public key with each posting seems
like a final measure. I'd like to stick to something more
moderate, e.g., only publishing the fingerprint. That's why
I asked what kind of key would give the best protection
against someone producing a key B with the desired proper-
ties and the same fingerprint as A.

Bottom line: Digital signatures can be used to prove endorsement,
but not authorship. If public key X signed a document D, then we
may be entitled to conclude that X endorses document D, but there's
no guarantee that X was the (original) author of D.

Yes. However, if we can rule out interception of documents,
this is different?


Best regards,
Luke
.

Relevant Pages

  • Re: HMAC-MD5 shown not compromized by MD5 collisions
    ... If the signature scheme first enters ... other one with neither signature changed, as in practice MD5 and SHA1 ... PGP seems to hash the public key as submitted. ... If the attacker is to inject meaningful data where the messages ...
    (sci.crypt)
  • Keys without signatures
    ... It is about PGP signatures, e.g., done with Gnupg. ... without signatures on the public key (except the auto- ... Assume that I create a keypair A and sign my Usenet postings ... same fingerprint as A. Is this practically doable? ...
    (sci.crypt)
  • Re: Keys without signatures
    ... This means that after I published postings ... including your public key in the content that is signed ... Digital signatures can be used to prove endorsement, ... may be entitled to conclude that X endorses document D, ...
    (sci.crypt)
  • Re: Soft signatures
    ... now, digital signature, typically just represents that you (in ... For some time there were arguments that if a certificate contained the ... certificate with your public key and the non-repudiation flag in it. ... for a number of different business purposes. ...
    (sci.crypt)
  • Re: Design choice in LTC
    ... The bytes cannot be a valid signature for any public key. ... -- Failure type 1 is obtained when the signature is too small to harbour ...
    (sci.crypt)