Everybody who is debating over Ploni’s key is missing the point.
An OpenPGP userid is itself a digitally signed statement. Ploni’s key (and indeed,
every valid OpenPGP key) also contains within itself several other important digital signatures, which prevent attacks that the people arguing with me are too ignorant to even think of.
nutildah and
dragonvslinux are stating misinformation that effectually FUDs the security of OpenPGP standard.
DireWolfM14 seemed to get it, but then just had to get in a dig at me—oops, wrong, too. Everything that
PrimeNumber7 said was technically correct; but he seemed to only be replying to the last post (please check the prior context).
If that is a fancy means of saying, “TL;DR”, here is the TL;DR:
I did import the key and noticed that, but its still not the same thing as providing a signature along with the key. It is extremely compelling rationale that the public key belongs to this user but there is no substitution for producing a signature from the corresponding private key.
Wrong.
The PGP certificate contains a digital signature from the corresponding private key. I explained this at length; and as
I noted:
The signature is required.
I am all for the proper use of digital signatures. That cause is not helped by misinformation which, on your part, seems to be motivated by a desire to personally oppose me.
The statement claiming a forum uid is digitally signed. What other digital signatures do you want? Perhaps a demonstration that Ploni can actually sign with his signing subkey—with
any and all signing subkey(s)? That would prevent Ploni from adding
e.g. Satoshi’s public key to his public PGP certificate as a signing subkey, even though he couldn’t sign with it. Such mischief may be of
very limited use to fool people who don’t understand any more about PGP than you evidently do, or for some oddball attacks in scenarios not relevant here; it seems that should be trivial to do that with some custom programming to wrangle PGP packets, yes?
I doubt that you even thought that far: Indeed, if somebody were to make multiple different signing subkeys and present a signed statement from only one of them, I doubt that you would even notice. But even if you thought of this,
the architects of the OpenPGP standard are still
way ahead of you:
The primary (certification) key and each signing subkey MUST digitally sign each other. And in Ploni’s case, they indeed did so:
$ gpg -v -v < ploni.asc 2>&1 | less
[...]
# off=937 ctb=b8 tag=14 hlen=2 plen=51
:public sub key packet:
version 4, algo 22, created 1583879873, expires 0
pkey[0]: [80 bits] ed25519 (1.3.6.1.4.1.11591.15.1)
pkey[1]: [263 bits]
keyid: B037730ED31FF9EB
# off=990 ctb=88 tag=2 hlen=2 plen=239
:signature packet: algo 22, keyid D50ED7B480AC5F96
version 4, created 1583879873, md5len 0, sigclass 0x18
digest algo 10, begin of digest 46 d6
hashed subpkt 33 len 21 (issuer fpr v4 C79DD6973572969A0C2CFC9BD50ED7B480AC5F96)
hashed subpkt 2 len 4 (sig created 2020-03-10)
hashed subpkt 27 len 1 (key flags: 02)
subpkt 16 len 8 (issuer key ID D50ED7B480AC5F96)
subpkt 32 len 117 (signature: v4, class 0x19, algo 22, digest algo 10)
data: [256 bits]
data: [253 bits]
[...]
N.b. these two lines, particularly the magic numbers 0x18 and 0x19:
version 4, created 1583879873, md5len 0, sigclass 0x18
subpkt 32 len 117 (signature: v4, class 0x19, algo 22, digest algo 10)
What does that mean?
https://tools.ietf.org/html/rfc4880#section-5.2.15.2.1. Signature Types[...]
0x18: Subkey Binding Signature
This signature is a statement by the top-level signing key that
indicates that it owns the subkey. This signature is calculated
directly on the primary key and subkey, and not on any User ID or
other packets.
A signature that binds a signing subkey MUST have
an Embedded Signature subpacket in this binding signature that
contains a 0x19 signature made by the signing subkey on the
primary key and subkey. 0x19: Primary Key Binding Signature
This signature is a statement by a signing subkey, indicating
that it is owned by the primary key and subkey. This signature
is calculated the same way as a 0x18 signature: directly on the
primary key and subkey, and not on any User ID or other packets.
https://tools.ietf.org/html/rfc21191. MUST This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an absolute requirement of the specification.
(Aside, those who want to know more OpenPGP magic numbers will want the IANA assignment list in addition to the RFC.)Also relevant, just so that you know exactly what bits are being digitally signed:
https://tools.ietf.org/html/rfc4880#section-5.2.45.2.4. Computing Signatures
[...]
When a signature is made over a key, the hash data starts with the
octet 0x99, followed by a two-octet length of the key, and then body
of the key packet. (Note that this is an old-style packet header for
a key packet with two-octet length.) A subkey binding signature
(type 0x18) or primary key binding signature (type 0x19) then hashes
the subkey using the same format as the main key (also using 0x99 as
the first octet). Key revocation signatures (types 0x20 and 0x28)
hash only the key being revoked.
Thus, I count three different types of digital signatures that Ploni has provided—all of which were done automatically by his OpenPGP implementation, because the OpenPGP standard authors are also big fans of digital signatures (!):
- Ploni’s key contains within itself a digitally signed statement claiming ownership of his forum uid, in the forum of an OpenPGP userid. This statement is digitally signed by the certification primary key, not the signing subkey. (Due to the unusual split-key construction of his PGP certificate, I suspect that the certification key is probably handled using some sort of security magic (airgap machine, etc.).) This digital signature is REQUIRED by the OpenPGP standard; and I have empirically demonstrated that if the signature is invalid, then GnuPG properly discards the userid with a warning. Of course, all of his other PGP userids are likewise digitally signed. So are any and all PGP userids created by anybody using OpenPGP standard software.
- Ploni’s key contains within itself a digitally signed statement by the primary key that it owns the signing subkey (sigclass 0x18). This is REQUIRED by the OpenPGP standard. Without this signature, OpenPGP-compliant software MUST reject the signing subkey.
- Ploni’s key contains within itself a digitally signed statement by the signing subkey (sigclass 0x19), acknowledging its ownership by the primary key. This completes the bidirectional binding which is REQUIRED by the OpenPGP standard, and proves that the person possessing the private primary key also possesses the private subkey. Without this signature, OpenPGP-compliant software MUST reject the signing subkey.
How many more digitally signed statements do you want? Please explain in technically precise terms
exactly what you want to see proved, and what attacks that is intended to prevent. If you thought of an attack that the OpenPGP standard authors and other PGP experts totally missed for the nearly 29 years
since the invention of PGP, please also report it to the
OpenPGP IETF working group, which is currently active for the
drafts of “RFC4880bis”. Thanks.
(I do note that there is no proof that Ploni can decrypt messages encrypted to his encryption subkey. The WKS draft standard implicitly requires a trusted server to test this ability before publishing a key with WKD. The OpenPGP standard does not provide any means to prove ownership of an encryption subkey using digital signatures; and doing so would require much effort for little gain, even for algorithms for which that could possibly be sensible (such as cv25519/ed25519). If you can think of a practical attack which could be done by falsely claiming ownership of an encryption-only subkey, please discuss it on the OpenPGP WG mailing list.)
I have added boldface to the part where nutildah misses the point that an OpenPGP userid is digitally signed:I did import the key and noticed that, but its still not the same thing as providing a signature along with the key. It is extremely compelling rationale that the public key belongs to this user but there is no substitution for producing a signature from the corresponding private key.
In technical terms, nullius is right, but I agree with you. The point nullius is missing is that
here, on this site on of the practical purposes of staking a GPG key is not only to claim ownership of the key, but to couple the key with your forum account. It's a security measure that could come in very handy if the account was ever hacked.
And what, praytell, is the practical difference between a digitally signed OpenPGP userid claiming a forum uid, and a `gpg --clearsign` statement claiming a forum uid?
In my prior post, I pointed out that it is impossible to cryptographically bind a non-cryptographic identity, such as a forum account. Whereas posting a key with an embedded signed statement claiming the forum account is not functionally different than posting the key, plus a `gpg --clearsign` statement created almost simultaneously, with substantively the same content.
The timestamp of the generation date is only the timestamp reflected on the computer when it was generated, and this is something that can be trivially changed.
It’s even easier than that: gpg’s `--faked-system-time` option with an exclamation mark.
I showed how to do this in my recent demonstration wherein
I created my own Faketoshi key. I thereby perfectly duplicated almost all metadata in Satoshi’s real key, including (but not nearly limited to) the timestamps—using only bog-standard gpg, with no custom programming.
(The only tiny bit of mismatched metadata would have required some trivial programming to fix; it would have been easy, but not worthwhile since my point had been made.) I showed my work. Anybody who follows my posts would have seen that. Not that I am claiming credit for what Ploni did; I suspect that he has a very deep knowledge of the OpenPGP standard.
And how? Trivial.$ cat faketoshi.conf
cert-digest-algo SHA1
default-preference-list AES256 AES192 AES128 CAST5 3DES SHA1 SHA256 RIPEMD160 ZLIB BZIP2 ZIP
$ gpg --faked-system-time "1225390759!" --options faketoshi.conf --expert --full-gen-key
[...]
When you sign a message, the signed message will contain a small amount of metadata. I assume this is why Ploni doesn't want to provide a signed message.
Good thought; this is an important point completely missed by most people. But controlling the metadata is only a matter of some practical know-how. Check my own PGP output. Anything you find, I wanted there. For example, you will not find any original filename unless I wanted to show one. If Ploni knew well enough to construct his key as he did, then he must know well enough to avoid leaking metadata which he does not wish to disclose.
I have a little surprise in store. It is pending blockchain confirmation. It is significant, so I will post when that’s done.