sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] unwanted tolerance of buggy keys

From: Jeffrey Johnson
Subject: Re: [Sks-devel] unwanted tolerance of buggy keys
Date: Mon, 30 Jul 2012 22:10:10 -0400 
On Jul 30, 2012, at 3:20 PM, Clint Adams <address@hidden> wrote:

> This key
> 
> http://zimmerman.mayfirst.org:11371/pks/lookup?op=get&search=0xED34CEABE27BAABC
> 
> is buggy.  It contains a generic certification packet on the first subkey
> and a positive certification packet on the second subkey.
> 
> From a quick glance at the SKS source code, it looks as though the signature
> type is not being checked.
> 
> If I read RFC4480 section 11.1 correctly, the only signature types valid on
> a subkey should be 0x19 and 0x28.
> 

The relevant text appears to be this:

  Each Subkey packet MUST be followed by one Signature packet, which
   should be a subkey binding signature issued by the top-level key.
   For subkeys that can issue signatures, the subkey binding signature
   MUST contain an Embedded Signature subpacket with a primary key
   binding signature (0x19) issued by the subkey on the top-level key.

   Subkey and Key packets may each be followed by a revocation Signature
   packet to indicate that the key is revoked.  Revocation signatures
   are only accepted if they are issued by the key itself, or by a key
   that is authorized to issue revocations via a Revocation Key
   subpacket in a self-signature by the top-level key.

There's no reading that precludes other signature types like
0x10 -> 0x13 on a subkey to my reading. Meanwhile, the
whole issue of what other signatures might be applied to
subkeys afaik: the usage of pubkey signatures (other than
binding/revocation) is all a bit murky imho.

> Could you please implement this restriction in SKS?
> 

I'm not sure SKS is the Right Place to enforce conformance
(much like discussions about OpenPGP binding signatures).

If you do wish to enforce conformance, the proper place is
when punbkeys are imported, not within distribution, based
on previously voiced opinions.

I doubt that there are many subkeys with 0x10 -> 0x13 signatures
no matter what (but haven't looked).

hth

73 de Jeff


> _______________________________________________
> Sks-devel mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/sks-devel
reply via email to
[Prev in Thread] Current Thread [Next in Thread]