On 05/12/16 11:18, Peter Lebbing wrote: > On 05/12/16 00:09, Andrew Gallagher wrote: >> Mathematically, authentication is just a special case of >> signing, so having both S and A on a subkey does not introduce extra >> vulnerabilities (that we know of). > > Mathematically, I think you're wrong, it's very vulnerable :-). > Authentication is signing the challenge sent to you by someone else, > signature is signing the data you wish to approve of in some way. So if > I can send you a challenge that would turn into a nice signature of you > authorizing a bank payment to me, that would be easy money.
You don't need A capability to perform this attack though - so long as you can social-engineer your way to getting someone to sign a message of your choice. This isn't a *mathematical* vulnerability but an implementation/procedural one, and it's not technically "extra" - although it could be viewed as widening an already existing hole. ;-) OK, I'm clutching at straws. I'll bail out of this argument now. ;-) > When I brought up the issue some time ago here, I got no response, so I > concluded it's not a problem. I was worried that some future > authentication mechanism might actually produce the same data structure > as a normal signature, but the lack of shared concern made me think it's > probably not an issue then. Yes, from an implementation point of view an authentication challenge and its response should be strictly formatted in a way that can't be mistaken for another protocol. Your auth routine shouldn't be blindly signing whatever plaintext the attacker suggests... >> in such cases it's safer to revoke the key and start >> again. > > If this is a signature /subkey/, they can be rotated willy-nilly. Expire > the current signature key, create a new one and delete the private part > of the old signature key. It doesn't need to be revoked. Sorry, yes expiry is as good as revocation, and this applies to both primary keys and subkeys. > Which defaults produce an authentication-capable key by the way? I don't > remember seeing that. I think it was Enigmail on OSX. This was a few years back though, and it may have changed since. Andrew.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
