Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: devel
Re: subkey binding signature with no usage flags and/or a critical notation
 

Index | Next | Previous | View Flat


dkg at fifthhorseman

Sep 13, 2013, 3:03 PM


Views: 1324
Permalink
Re: subkey binding signature with no usage flags and/or a critical notation [In reply to]

On Wed 2013-09-11 17:46:41 -0400, Daniel Kahn Gillmor wrote:
> Without this patch, if a subkey with a usage flags subpacket that is
> all-zero appears, GnuPG thinks that the key is valid for all
> capabilities (usage: SCEA).
>
> This is dangerous in several ways:
>
> * if it's your own key, GnuPG will use it to sign messages or certify
> other OpenPGP certificates
>
> * if it's someone else's key, GnuPG will encrypt to it
>
> * if it's someone else's key, GnuPG may be willing to rely on OpenPGP
> certifications made by the key, despite the owner having clearly
> marked that it is not acceptable for that use.
>
> Depending on how such a key is actually used in practice, this may cause
> unrelated confidential data to be revealed, or it may let GnuPG follow
> spoofable paths through the WoT.

[...]

> I'm inclined to see this as a security vulnerability (because of the
> confidentiality and certification-following concerns); i'd like to see
> it fixed in the stable branches and assigned a CVE, so that i can push
> for getting it resolved in those distros that care about CVE coverage.

This is now CVE-2013-4351.

Regards,

--dkg

Subject User Time
subkey binding signature with no usage flags and/or a critical notation dkg at fifthhorseman Mar 12, 2013, 1:51 PM
    Re: subkey binding signature with no usage flags and/or a critical notation christian at quelltextlich Mar 13, 2013, 4:22 AM
        Re: subkey binding signature with no usage flags and/or a critical notation dkg at fifthhorseman Mar 13, 2013, 2:30 PM
    Re: subkey binding signature with no usage flags and/or a critical notation dshaw at JABBERWOCKY Mar 13, 2013, 3:27 PM
    Re: subkey binding signature with no usage flags and/or a critical notation nicholas.cole at gmail Mar 14, 2013, 7:34 AM
    Re: subkey binding signature with no usage flags and/or a critical notation dkg at fifthhorseman Mar 14, 2013, 9:02 AM
        Re: subkey binding signature with no usage flags and/or a critical notation nicholas.cole at gmail Mar 14, 2013, 10:47 AM
    Re: subkey binding signature with no usage flags and/or a critical notation dkg at fifthhorseman Mar 14, 2013, 9:05 AM
        Re: subkey binding signature with no usage flags and/or a critical notation wk at gnupg Mar 15, 2013, 7:52 AM
            Re: subkey binding signature with no usage flags and/or a critical notation dkg at fifthhorseman Mar 15, 2013, 10:13 AM
            Re: subkey binding signature with no usage flags and/or a critical notation dkg at fifthhorseman Sep 11, 2013, 2:46 PM
                Re: subkey binding signature with no usage flags and/or a critical notation dkg at fifthhorseman Sep 13, 2013, 3:03 PM
                Re: subkey binding signature with no usage flags and/or a critical notation wk at gnupg Sep 14, 2013, 1:51 AM
                    Re: subkey binding signature with no usage flags dkg at fifthhorseman Sep 14, 2013, 8:44 AM
                        Re: subkey binding signature with no usage flags rjh at sixdemonbag Sep 14, 2013, 9:26 AM
                            Re: subkey binding signature with no usage flags dkg at fifthhorseman Sep 14, 2013, 9:45 AM
                                Re: subkey binding signature with no usage flags rjh at sixdemonbag Sep 14, 2013, 10:00 AM
                                Re: subkey binding signature with no usage flags nicholas.cole at gmail Sep 14, 2013, 10:42 AM
                        Re: subkey binding signature with no usage flags dkg at fifthhorseman Sep 14, 2013, 12:02 PM
    Re: subkey binding signature with no usage flags and/or a critical notation wk at gnupg Mar 19, 2013, 7:52 AM
        Re: subkey binding signature with no usage flags and/or a critical notation dkg at fifthhorseman Mar 19, 2013, 8:25 AM
            Re: subkey binding signature with no usage flags and/or a critical notation dkg at fifthhorseman Sep 10, 2013, 1:50 PM

  Index | Next | Previous | View Flat
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.