[agwa]

When I try to import HPA's key from the public key servers, I get an "invalid subkey binding" error and the weak sub key isn't imported. That error means that the sub key isn't properly signed by HPA's master key, so there is no cryptographic proof that this weak sub key actually belongs to HPA. This looks more like a fake sub key that someone tried to pollute the public key servers with, which isn't really an issue because PGP implementations will just ignore it.

  gpg --verbose --keyserver hkp://hkps.pool.sks-keyservers.net --recv-key 0xbda06085493bace4
  gpg: requesting key 0xBDA06085493BACE4 from hkp server hkps.pool.sks-keyservers.net
  gpg: armor header: Version: SKS 1.1.5
  gpg: armor header: Comment: Hostname: keyserver.witopia.net
  gpg: pub  4096R/0xBDA06085493BACE4 2011-09-22  H. Peter Anvin <hpa@infradead.org>
  gpg: key 0xBDA06085493BACE4: invalid subkey binding
  gpg: key 0xBDA06085493BACE4: skipped subkey
  gpg: key 0xBDA06085493BACE4: "H. Peter Anvin (hpa) <hpa@zytor.com>" not changed
  gpg: Total number processed: 1
  gpg:              unchanged: 1

[schoen]

I think you may have solved the mystery, including my confusion about why I couldn't get the vulnerable subkey from the keyservers. My gpg was silently discarding the vulnerable subkey because it doesn't have a proper signature.

If this is the explanation, then this is either an attack by a random person or an attack or flaw in a keyserver, but an attack that's unlikely to work because users will discard the bad key rather than using it.

[acqq]

The keyservers aren't secure anyway. The are more like a big public walls on which everybody can write any number.

The users are the ones responsible for any key verification.

[diafygi]

Yes! It looks like someone inserted a broken subkey with an invalid signature into the keyserver. If your software didn't validate subkey signatures, you could very well think that a package was signed by HPA. Alternatively, it could be that someone was just fucking around and uploaded a subkey with invalid signature for the lolz.

Here's a json export of the packets: https://gist.github.com/anonymous/ba23ca66d2ca249e6f84

Here's the factored subkey: https://gist.github.com/anonymous/ba23ca66d2ca249e6f84#file-...

Here's the factored subkey's bad signature: https://gist.github.com/anonymous/ba23ca66d2ca249e6f84#file-...

EDIT: It's the EXACT SAME subkey self-signature packet as HPA's real subkey self-signature packet! Someone (by malice or mistake) manually added a subkey to HPA's public key and copied the signature from the other subkey directly onto the new subkey.

These are the same:

Bad subkey self-signature: https://gist.github.com/anonymous/ba23ca66d2ca249e6f84#file-...

Good subkey self-signature: https://gist.github.com/anonymous/ba23ca66d2ca249e6f84#file-...

[agwa]

That JSON export is cool - how did you generate it?

[diafygi]

One of my side projects: https://github.com/diafygi/openpgp-python

Not fully functional yet, but was able to convert this public key to json. I manually removed the non-self signature packets for the gist.

[garrettr_]

    This looks more like a fake sub key that someone tried to pollute the public key servers with

Does anybody know how that would be possible? I can't understand why a key server would accept a subkey unless it was correctly signed by the primary key. At the moment, all I can think is:

1. Misbehavior on the part of someone running a keyserver.

2. A bug in the keyserver software

    which isn't really an issue because PGP implementations will just ignore it

Has that always been the case? With all widely used PGP implementations?

I ask both of the questions because I can't understand why anybody would go to the trouble of doing this unless it supports some kind of attack (which may no longer be viable, but perhaps was at some time in the past).

[diafygi]

The SKS keyserver pool (which keys.gnupg.net alias's to) doesn't do any cryptographic verification, even verifying self-signatures, before upload. The software just checks to see if the format is valid.

It's up to the clients to do their own verification, which in this case GPG does perfectly (it doesn't import the invalid subkey since the self-signature is invalid).

[davout]

If it's true it's a nice DoS vector

[lutoma]

fwiw this is currently being discussed on the sks mailing list, but the overwhelming opinon seems to be that the current behaviour should stay. https://lists.nongnu.org/archive/html/sks-devel/2015-05/msg0...