PGP: is there such a thing as a "signature only key?"

Dave Bird dave@xemu.demon.co.uk
Wed, 17 Oct 2001 22:30:57 +0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Message-ID: <xKD+X9Iiffz7Ewaz@xemu.demon.co.uk>
Date: Wed, 17 Oct 2001 22:28:02 +0100
From: Dave Bird <dave@xemu.demon.co.uk>
Newsgroups: demon.ip.support.turnpike
Subject: PGP: is there such a thing as a "signature only key?"
Path: xemu.demon.co.uk!dave
Lines: 42
Organization: Smelling-nose Dogs for the Anosmic
MIME-Version: 1.0
X-Newsreader: Turnpike Integrated Version 5.00 U
<dQumtnY$x4rJ2u5tL5fS$n2vuP>


 It has been claimed to me there is such a thing as a "signature
 only key", and that the PGP program will (automatically) refuse
 to encrypt to it.

In article <cbalDHFHsdz7EweN@xemu.demon.co.uk>, Dave Bird  writes:
>Cite:
>>cite:
>>> I see a DOS attack here. Surely someone could just deliberately use
>>> people's signature-only keys for encryption. The flaw is in the
>>> logic of the RIP law, of course, not in the crypto algorithms
>>> themselves.
>>
>>Yes.  Though neither GnuPG nor PGP let me encrypt to a signature-only
>>key, 

 I cannot find anything in generating a key, or in keys | properties,
 which deals with a  "signature only" key.  My copy of PGP cheerfully
 encrypts to such a key.  The Turnpike mailer AUTOMATICALLY encrypts
 to such a key when I mail to a person whose key I previously fetched
 from a signed key.... unless I manually intervene after fetching a key
 (several times per day) to see if I need to turn off encrypt-mail
 to that person or to remember that a particular key (fetched weeks ago) 
 was signature only.

 OTOH if such a thing does exist then Turnpike's integration with PGP
 and/or the version of PGP shipped with it are broken, not compliant
 with the specs and protocols for integrating with PGP, and people
 will rightfully complain that my software just automatically ignored
 the "signature only"  indicator.  (There is also a possibility that
 writing <SIGNATURE KEY ONLY> is common but not strictly standard,
 where it would be nice to fix this dodgy behaviour with a dialogue
 "The key you fetched is marked 'SIGNATURE...ONLY'
       and the person has no other key.  
  Mark do-not-encrypt-mail to this person? [YES]  [NO]" ).
  


- -- 
   ^-^-^-@@-^-;-^   http://www.xemu.demon.co.uk/
        (..)__u     news:alt.smoking.mooses

       happy as a clam at high tide -. <_" .-._.-.


-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBO834kX8v/Y5zkfRPEQIawQCdFuMGTF5dvIifNhnjCeOGmr+iWk4AoNs+
GdreOgcQDyoYYly6WfaGC8Eu
=Ez1p
-----END PGP SIGNATURE-----