PGP: is there such a thing as a "signature only key?"

Dave Bird dave at xemu.demon.co.uk
Fri, 19 Oct 2001 20:08:00 +0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <NEBBLPEDCLNPIJEEDICAEEAHCDAA.Paul.Halliden@wiltsec.co.uk>,
Paul Halliden <Paul.Halliden@wiltsec.co.uk> writes
>On 19 October 2001 01:16 Peter Gutmann wrote:
>
>>>On Wed, 17 Oct 2001 16:36:23 -0700 (PDT) Len Sassaman <rabbi@quickie.net>
>>>said...
>>>>Well, given that encryption to DSA keys is not possible, it certainly
>>>>does refuse to encrypt to them.
>>>
>>>On the contrary, it is possible to convert a DSS key to an El-Gamal key, and
>>>to use it for encryption. But of course, that requires quite a bit of
>>>competent hacking at both ends.
>>
>>It doesn't require any hacking at all, all FIPS 186-style keys can be used for
>>signing (DSS), key agreement (DH), and encryption (Elgamal) without any special
>>changes.  Special-case DLP keys (eg PKCS #3 DH rather than X9.42 DH, the latter
>>is just a buggy copy of FIPS 186) don't have this interchangeability.
>
>This provides a very good illustration of why a well-designed crypto sub-system 
>should police the use of keys.  Whenever a key / key set is generated or 
>imported, the intended use of the key should be defined.  Subsequently, the 
>crypto sub-system should enforce that the key is only used for its intended use.  
>A hardware based sub-system such a smart card or hardware security module is 
>most effective.  Pure software systems are more vulnerable to "hacking".  
>Implementations which require a user to actively delete or revoke undesired keys 
>(or key usage) is not suitable for use by anyone other than a very security (and 
>crypto) aware user.

 I think the problem is as follows.

 1.  The change to a windows-interface  PGP is unwise in not prompting 
     the creation of signature only keys: you have to be a power user
     and know to delete (not expire) the subkey yourself.  If the subkey
     has been deleted, there can be no encryption to it using the
     software as supplied.

 2.  I am AMAZED that expiry of a subkey does not forthwith 
     delete and over-write it.  Never mind "obeying flags", the data 
     which enables the bug should have been ERADICATED.  

 3.  At a guess there is further an actual bug which "resurrects" 
     expired subkeys, by giving them the expiry date of the main key
     (but this could not happen if the key info was DELETED on expiry).


- -- 
   ^-^-^-@@-^-;-^   http://www.xemu.demon.co.uk/
        (..)__u     news:alt.smoking.mooses

       happy as a clam at high tide -. <_" .-._.-.


-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBO9B6EH8v/Y5zkfRPEQJ4qACgxweA/mod7KKZEyTur+lvmo40AJwAnReW
YGaLRjkPOsnZaZLLGsKxlOH4
=CopH
-----END PGP SIGNATURE-----