-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Monday 9 May 2011 at 5:09:00 PM, in <mid:201105091809.05423.mailinglis...@hauke-laging.de>, Hauke Laging wrote: > Am Sonntag, 8. Mai 2011, 14:50:36 schrieb MFPA: >> Mainly the key's owner, but could also protect others from relying on >> signatures from a compromised key for which they have not received a >> revocation certificate. > Right. The problem: Protection you don't know of. So > seriously this additional protection will not be taken > into account (unless you happen to have more > information about the key handling). I meant the protection other users derive because the compromised subkey expired and the attacker cannot keep making signatures with it. >> Could a modified version of "HOW TO MIGRATE A (SUB)KEY >> INTO A NEW KEY" >> http://atom.smasher.org/gpg/gpg-migrate.txt be used to >> substitute one of your subkeys with another of the >> same type and size? Or what would be the implications >> of an attacker migrating your subkeys to another >> master key? > That would be useless. The result would be that the > attacked user (if he had imported the master key with > the migrated subkey) would believe that a signature has > been made by the attacker instead of the person whom he > has stolen the key from. Could that be a form of attack? Bob and Mallory sign a contract of some kind - it transpires the contract benefits Bob - Mallory tries to make it look as if Bob had not signed. > The problem is that German > / EU signature law requires a legally fully trusted key > to be created in hardware which he can never be read > from. So the so called qualified signatures can be made > with smartcards only. Thus the certification > authorities are not allowed so certify today's mainkeys > because you can create valid subkeys outside smartcards > with them without the CA being part of that. Sounds like vested interests calling the shots. > IMHO there are only two possibilities for making (a new > version of) OpenPGP signature law compatible: There is a third way: amend the law so that the Web of Trust is used instead of the CAs. - -- Best regards MFPA mailto:expires2...@ymail.com Look, it's a hat! It's not going to hurt you. -----BEGIN PGP SIGNATURE----- iQE7BAEBCgClBQJNyCmZnhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5po0AD/iuB L6eK+ZSvFteIFxU1cMg6iEPAzKQNuRA9AheQtKUox/cTEoIPLx0MUpZuRP+JWy86 8VUe5TytuDuFilz5dC7VQOofZfVfyp5pJMWBeO/aJ/wLvBtL20ty4jyk8pwjeA6H Uf/2x/qil1p881Bgv9VkW8j/RQQH4rkUyT1Z9Fcz =qWQU -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users