On 05/12/16 00:09, Andrew Gallagher wrote: > Mathematically, authentication is just a special case of > signing, so having both S and A on a subkey does not introduce extra > vulnerabilities (that we know of).
Mathematically, I think you're wrong, it's very vulnerable :-). Authentication is signing the challenge sent to you by someone else, signature is signing the data you wish to approve of in some way. So if I can send you a challenge that would turn into a nice signature of you authorizing a bank payment to me, that would be easy money. However, in practice, a challenge has a different format than a data or key signature, and they can be differentiated. This isn't math, though. For RSA, you still do the modular exponentiation of RSA. When I brought up the issue some time ago here, I got no response, so I concluded it's not a problem. I was worried that some future authentication mechanism might actually produce the same data structure as a normal signature, but the lack of shared concern made me think it's probably not an issue then. > in such cases it's safer to revoke the key and start > again. If this is a signature /subkey/, they can be rotated willy-nilly. Expire the current signature key, create a new one and delete the private part of the old signature key. It doesn't need to be revoked. Which defaults produce an authentication-capable key by the way? I don't remember seeing that. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
