Everybody who is debating over Ploni’s key is missing the point.
An OpenPGP userid is itself a digitally signed statement. Ploni’s key (and indeed,
every valid OpenPGP key) also contains within itself several other important digital signatures, which prevent attacks that the people arguing with me are too ignorant to even think of.
nutildah and
dragonvslinux are stating misinformation that effectually FUDs the security of OpenPGP standard.
DireWolfM14 seemed to get it, but then just had to get in a dig at me—oops, wrong, too. Everything that
PrimeNumber7 said was technically correct; but he seemed to only be replying to the last post (please check the prior context).
If that is a fancy means of saying, “TL;DR”, here is the TL;DR:
I did import the key and noticed that, but its still not the same thing as providing a signature along with the key. It is extremely compelling rationale that the public key belongs to this user but there is no substitution for producing a signature from the corresponding private key.
Wrong.
The PGP certificate contains a digital signature from the corresponding private key. I explained this at length; and as
I noted:
The signature is required.
I am all for the proper use of digital signatures. That cause is not helped by misinformation which, on your part, seems to be motivated by a desire to personally oppose me.
The statement claiming a forum uid is digitally signed. What other digital signatures do you want? Perhaps a demonstration that Ploni can actually sign with his signing subkey—with
any and all signing subkey(s)? That would prevent Ploni from adding
e.g. Satoshi’s public key to his public PGP certificate as a signing subkey, even though he couldn’t sign with it. Such mischief may be of
very limited use to fool people who don’t understand any more about PGP than you evidently do, or for some oddball attacks in scenarios not relevant here; it seems that should be trivial to do that with some custom programming to wrangle PGP packets, yes?
I doubt that you even thought that far: Indeed, if somebody were to make multiple different signing subkeys and present a signed statement from only one of them, I doubt that you would even notice. But even if you thought of this,
the architects of the OpenPGP standard are still
way ahead of you:
The primary (certification) key and each signing subkey MUST digitally sign each other. And in Ploni’s case, they indeed did so:
$ gpg -v -v < ploni.asc 2>&1 | less
[...]
# off=937 ctb=b8 tag=14 hlen=2 plen=51
:public sub key packet:
version 4, algo 22, created 1583879873, expires 0
pkey[0]: [80 bits] ed25519 (1.3.6.1.4.1.11591.15.1)
pkey[1]: [263 bits]
keyid: B037730ED31FF9EB
# off=990 ctb=88 tag=2 hlen=2 plen=239
:signature packet: algo 22, keyid D50ED7B480AC5F96
version 4, created 1583879873, md5len 0, sigclass 0x18
digest algo 10, begin of digest 46 d6
hashed subpkt 33 len 21 (issuer fpr v4 C79DD6973572969A0C2CFC9BD50ED7B480AC5F96)
hashed subpkt 2 len 4 (sig created 2020-03-10)
hashed subpkt 27 len 1 (key flags: 02)
subpkt 16 len 8 (issuer key ID D50ED7B480AC5F96)
subpkt 32 len 117 (signature: v4, class 0x19, algo 22, digest algo 10)
data: [256 bits]
data: [253 bits]
[...]
these two lines, particularly the magic numbers 0x18 and 0x19:
version 4, created 1583879873, md5len 0, sigclass 0x18
subpkt 32 len 117 (signature: v4, class 0x19, algo 22, digest algo 10)
What does that mean?
https://tools.ietf.org/html/rfc4880#section-5.2.1I did import the key and noticed that, but its still not the same thing as providing a signature along with the key. It is extremely compelling rationale that the public key belongs to this user but there is no substitution for producing a signature from the corresponding private key.
In technical terms, nullius is right, but I agree with you. The point nullius is missing is that
here, on this site on of the practical purposes of staking a GPG key is not only to claim ownership of the key, but to couple the key with your forum account. It's a security measure that could come in very handy if the account was ever hacked.
And what, praytell, is the practical difference between a digitally signed OpenPGP userid claiming a forum uid, and a `gpg --clearsign` statement claiming a forum uid?
In my prior post, I pointed out that it is impossible to cryptographically bind a non-cryptographic identity, such as a forum account. Whereas posting a key with an embedded signed statement claiming the forum account is not functionally different than posting the key, plus a `gpg --clearsign` statement created almost simultaneously, with substantively the same content.
The timestamp of the generation date is only the timestamp reflected on the computer when it was generated, and this is something that can be trivially changed.
It’s even easier than that: gpg’s `--faked-system-time` option with an exclamation mark.
I showed how to do this in my recent demonstration wherein
I created my own Faketoshi key. I thereby perfectly duplicated almost all metadata in Satoshi’s real key, including (but not nearly limited to) the timestamps—using only bog-standard gpg, with no custom programming.
(The only tiny bit of mismatched metadata would have required some trivial programming to fix; it would have been easy, but not worthwhile since my point had been made.) I showed my work. Anybody who follows my posts would have seen that. Not that I am claiming credit for what Ploni did; I suspect that he has a very deep knowledge of the OpenPGP standard.
And how? Trivial.$ cat faketoshi.conf
cert-digest-algo SHA1
default-preference-list AES256 AES192 AES128 CAST5 3DES SHA1 SHA256 RIPEMD160 ZLIB BZIP2 ZIP
$ gpg --faked-system-time "1225390759!" --options faketoshi.conf --expert --full-gen-key
[...]
When you sign a message, the signed message will contain a small amount of metadata. I assume this is why Ploni doesn't want to provide a signed message.
Good thought; this is an important point completely missed by most people. But controlling the metadata is only a matter of some practical know-how. Check my own PGP output. Anything you find, I wanted there. For example, you will not find any original filename unless I wanted to show one. If Ploni knew well enough to construct his key as he did, then he must know well enough to avoid leaking metadata which he does not wish to disclose.
I have a little surprise in store. It is pending blockchain confirmation. It is significant, so I will post when that’s done.
