x/crypto/openpgp: cross-certification signatures not verified #10740
Labels
Milestone
Comments
kbsriram
changed the title
|
Fixed by go.crypto c10c31b |
FiloSottile
pushed a commit
to FiloSottile/go
that referenced
this issue
Nov 24, 2019
Section 11.1 of RFC4880 requires that binding signatures on signing subkeys contain a valid embedded signature that cross-certifies the primary key. This is to avoid the weakness described at https://www.gnupg.org/faq/subkey-cross-certify.html Fixes golang#10740 Change-Id: Ibe039662497832945957b001a83080ba29213703 Reviewed-on: https://go-review.googlesource.com/9799 Reviewed-by: Adam Langley <agl@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
go version devel +aebd123 Thu May 7 01:24:27 2015 +0000 darwin/amd64
The openpgp code needs additional checks around signatures made on signing subkeys. In particular, verifying embedded signatures (i.e., back or cross signatures made by a signing subkey on the primary key) is a required check for rfc4880, and avoids the problems mentioned at https://www.gnupg.org/faq/subkey-cross-certify.html
(Section 11.1 from the RFC also has the "must" requirements for validating signing subkeys.)
The text was updated successfully, but these errors were encountered: