Discussion:
greetings
Adam Wasserman
2014-02-04 15:49:12 UTC
Permalink
Hi all,

I'm in a new member and just thought I'd introduce myself. I'm the creator of PGP KeyRing and Squeaky Mail for Android. I've had plenty of questions about PGP and RFC 4880 over the past year! But I've gained a lot of knowledge in that time, too.

One thing that I'm still not quite sure about is why GnuPG generates subkey revocation signatures over both the master and subkey... 

Anyway, thanks for having me.

Adam
Michael Daigle
2014-02-04 23:19:18 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Post by Adam Wasserman
I'm in a new member and just thought I'd introduce myself.
Welcome to PGP-Basics, Adam!
Post by Adam Wasserman
One thing that I'm still not quite sure about is why GnuPG
generates subkey revocation signatures over both the master and
subkey...
GnuPG will create a revocation certificate for a complete key only. If
you need only to revoke a subkey you must use the --edit command.


- --
Mike Daigle http://www.mikedaigle.ca


-----BEGIN PGP SIGNATURE-----
Comment: Mike Daigle Ontario, Canada www.mikedaigle.ca

iHEEAREDADEFAlLxdWwqGGh0dHA6Ly9saW5rcy5taWtlZGFpZ2xlLmNhL01pa2VE
YWlnbGUuYXNjAAoJEE7x4eArFU5iIsUAoIKWHI8xUwC1KWR/eZxb+9sB8t8JAJ9s
gP0j7DcJP2j3NqP7zn6aqXAtpw==
=51UM
-----END PGP SIGNATURE-----


------------------------------------

______________________________________________________________
Archives: http://groups.yahoo.com/group/PGP-Basics/messages
OT List: http://groups.yahoo.com/group/PGP-Basics-OT
OT Subscribe: mailto:PGP-Basics-OT-***@yahoogroups.com
Gossamer Spider Web of Trust http://www.gswot.org

Yahoo Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/PGP-Basics/

<*> Your email settings:
Individual Email | Traditional

<*> To change settings online go to:
http://groups.yahoo.com/group/PGP-Basics/join
(Yahoo! ID required)

<*> To change settings via email:
PGP-Basics-***@yahoogroups.com
PGP-Basics-***@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
PGP-Basics-***@yahoogroups.com

<*> Your use of Yahoo Groups is subject to:
http://info.yahoo.com/legal/us/yahoo/utos/terms/
Adam Wasserman
2014-02-05 08:43:56 UTC
Permalink
Thanks for your reply, Michael.

Here's the thing: RFC 4880 section 5.2.1 says:


0x28: Subkey revocation signature The signature is calculated directly on the subkey being revoked.It repeats the detail again later on in 5.2.4.

I've noticed that if I export a key ring with a subkey revoked using GnuPG, I can only verify the signature if I do so over both the subkey and the master key. Also, if I generate a subkey revocation signature, GnuPG only verifies and accepts it if I do so by calculating it over both the subkey and the master key.

So it seems to me that GnuGP is using both the subkey and master key for this signature. I'm not sure why, however. Seems it should only be the subkey.

BTW I didn't realize it was common practice to sign messages to this group when I joined. I'm not set up to use this address for PGP encryption.

Thanks in advance,
Adam





On Wednesday, February 5, 2014 12:19 AM, Michael Daigle <***@mikedaigle.ca> wrote:

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Post by Adam Wasserman
I'm in a new member and just thought I'd introduce myself.
Welcome to PGP-Basics, Adam!
Post by Adam Wasserman
One thing that I'm still not quite sure about is why GnuPG
generates subkey revocation signatures over both the master and
subkey...
GnuPG will create a revocation certificate for a complete key only. If
you need only to revoke a subkey you must use the --edit command.

- --
Mike Daigle http://www.mikedaigle.ca
Michael Daigle
2014-02-05 14:57:38 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Post by Adam Wasserman
Thanks for your reply, Michael.
0x28: Subkey revocation signature The signature is calculated
directly on the subkey being revoked.It repeats the detail again
later on in 5.2.4.
I've noticed that if I export a key ring with a subkey revoked
using GnuPG, I can only verify the signature if I do so over both
the subkey and the master key. Also, if I generate a subkey
revocation signature, GnuPG only verifies and accepts it if I do so
by calculating it over both the subkey and the master key.
So it seems to me that GnuGP is using both the subkey and master
key for this signature. I'm not sure why, however. Seems it should
only be the subkey.
The master signing key is needed to authenticate the transaction. If
the subkey was an encryption subkey there would be no means at all to
sign the revocation certificate if the master signing key was not
used. It makes sense to me the master signing key would be required to
make any changes to certificate information or key material.

I may be missing what you're saying, otherwise I would have to say
everything seems to be working as designed and as it should.


- --
Mike Daigle http://www.mikedaigle.ca



-----BEGIN PGP SIGNATURE-----
Comment: Mike Daigle Ontario, Canada www.mikedaigle.ca

iHEEAREDADEFAlLyUWAqGGh0dHA6Ly9saW5rcy5taWtlZGFpZ2xlLmNhL01pa2VE
YWlnbGUuYXNjAAoJEE7x4eArFU5i724AoLCQtokomoAOEd/0Aan0moo26qHQAKC5
4vsgeoibMFUML2YU8ygyqjmTvg==
=N3oo
-----END PGP SIGNATURE-----


------------------------------------

______________________________________________________________
Archives: http://groups.yahoo.com/group/PGP-Basics/messages
OT List: http://groups.yahoo.com/group/PGP-Basics-OT
OT Subscribe: mailto:PGP-Basics-OT-***@yahoogroups.com
Gossamer Spider Web of Trust http://www.gswot.org

Yahoo Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/PGP-Basics/

<*> Your email settings:
Individual Email | Traditional

<*> To change settings online go to:
http://groups.yahoo.com/group/PGP-Basics/join
(Yahoo! ID required)

<*> To change settings via email:
PGP-Basics-***@yahoogroups.com
PGP-Basics-***@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
PGP-Basics-***@yahoogroups.com

<*> Your use of Yahoo Groups is subject to:
http://info.yahoo.com/legal/us/yahoo/utos/terms/
Adam Wasserman
2014-02-05 17:49:10 UTC
Permalink
Hi Mike,

I understand what you mean. You make a good point: if you have an El Gamal subkey, how do you revoke it? It can't sign.

A subkey is already bound to the master key in the key ring by its signature. In addition, from what I understand when calculating a signature over keys, you use the public portion. So including the master key is not a way of increasing certainty that the signer is who you think it is. And the RFC seems clear: you calculate over the subkey, and the subkey signs.

I've been experimenting with RSA keys, which can sign and encrypt. As per the RFC, GnuPG uses the subkey to sign. That wasn't my issue. It was that it used the subkey to generate a signature over itself as well as the master key. This seems contrary to the RFC.

But you really bring up a good point. What about subkeys that can't sign?

Adam





On Wednesday, February 5, 2014 3:58 PM, Michael Daigle <***@mikedaigle.ca> wrote:

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Post by Adam Wasserman
Thanks for your reply, Michael.
0x28: Subkey revocation signature The signature is calculated
directly on the subkey being revoked.It repeats the detail again
later on in 5.2.4.
I've noticed that if I export a key ring with a subkey revoked
using GnuPG, I can only verify the signature if I do so over both
the subkey and the master key. Also, if I generate a subkey
revocation signature, GnuPG only verifies and accepts it if I do so
by calculating it over both the subkey and the master key.
So it seems to me that GnuGP is using both the subkey and master
key for this signature. I'm not sure why, however. Seems it should
only be the subkey.
The master signing key is needed to authenticate the transaction. If
the subkey was an encryption subkey there would be no means at all to
sign the revocation certificate if the master signing key was not
used. It makes sense to me the master signing key would be required to
make any changes to certificate information or key material.

I may be missing what you're saying, otherwise I would have to say
everything seems to be working as designed and as it should.

- --
Mike Daigle http://www.mikedaigle.ca
Adam Wasserman
2014-02-06 10:06:44 UTC
Permalink
I just went and checked my code and the RFC. I was wrong in the above post when I said the subkey makes the signature. It is the master key, which makes sense given your point that not all subkeys can sign.

My question is about *what* is signed to generate the signature, not which key is signing. According to the RFC, it seems the master key should sign the subkey only, not both the subkey and the master key (as is done for subkey bindings, for example).

many thanks,
Adam





On Wednesday, February 5, 2014 6:49 PM, Adam Wasserman <***@yahoo.com> wrote:

 
Hi Mike,

I understand what you mean. You make a good point: if you have an El Gamal subkey, how do you revoke it? It can't sign.

A subkey is already bound to the master key in the key ring by its signature. In addition, from what I understand when calculating a signature over keys, you use the public portion. So including the master key is not a way of increasing certainty that the signer is who you think it is. And the RFC seems clear: you calculate over the subkey, and the subkey signs.

I've been experimenting with RSA keys, which can sign and encrypt. As per the RFC, GnuPG uses the subkey to sign. That wasn't my issue. It was that it used the subkey to generate a signature over itself as well as the master key. This seems contrary to the RFC.

But you really bring up a good point. What about subkeys that can't sign?

Adam





On Wednesday, February 5, 2014 3:58 PM, Michael Daigle <***@mikedaigle.ca> wrote:

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Post by Adam Wasserman
Thanks for your reply, Michael.
0x28: Subkey revocation signature The signature is calculated
directly on the subkey being revoked.It repeats the detail again
later on in 5.2.4.
I've noticed that if I export a key ring with a subkey revoked
using GnuPG, I can only verify the signature if I do so over both
the subkey and the master key. Also, if I generate a subkey
revocation signature, GnuPG only verifies and accepts it if I do so
by calculating it over both the subkey and the master key.
So it seems to me that GnuGP is using both the subkey and master
key for this signature. I'm not sure why, however. Seems it should
only be the subkey.
The master signing key is needed to authenticate the transaction. If
the subkey was an encryption subkey there would be no means at all to
sign the revocation certificate if the master signing key was not
used. It makes sense to me the master signing key would be required to
make any changes to certificate information or key material.

I may be missing what you're saying, otherwise I would have to say
everything seems to be working as designed and as it should.

- --
Mike Daigle http://www.mikedaigle.ca
Loading...