You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
go version devel +aebd123 Thu May 7 01:24:27 2015 +0000 darwin/amd64
The openpgp code needs additional checks around signatures made on signing subkeys. In particular, verifying embedded signatures (i.e., back or cross signatures made by a signing subkey on the primary key) is a required check for rfc4880, and avoids the problems mentioned at https://www.gnupg.org/faq/subkey-cross-certify.html
(Section 11.1 from the RFC also has the "must" requirements for validating signing subkeys.)
The text was updated successfully, but these errors were encountered:
kbsriram
changed the title
crypto/openpgp: cross-certification signatures not verified
x/crypto/openpgp: cross-certification signatures not verified
May 7, 2015
Section 11.1 of RFC4880 requires that binding signatures on
signing subkeys contain a valid embedded signature that cross-certifies
the primary key. This is to avoid the weakness described at
https://www.gnupg.org/faq/subkey-cross-certify.htmlFixesgolang#10740
Change-Id: Ibe039662497832945957b001a83080ba29213703
Reviewed-on: https://go-review.googlesource.com/9799
Reviewed-by: Adam Langley <agl@golang.org>
go version devel +aebd123 Thu May 7 01:24:27 2015 +0000 darwin/amd64
The openpgp code needs additional checks around signatures made on signing subkeys. In particular, verifying embedded signatures (i.e., back or cross signatures made by a signing subkey on the primary key) is a required check for rfc4880, and avoids the problems mentioned at https://www.gnupg.org/faq/subkey-cross-certify.html
(Section 11.1 from the RFC also has the "must" requirements for validating signing subkeys.)
The text was updated successfully, but these errors were encountered: