On Thu, 5 Apr 2018 22:49, car...@debian.org said: > CVE-2018-9234: > | GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key > | certification requires an offline master Certify key, which results in > | apparently valid certifications that occurred only with access to a > | signing subkey.
That is more a description of an unspecified behaviour of OpenPGP. It is From the specs not clear whether a subkey shall be able to certify a a userid or a subkey. The problem which such a certification from a subkey is that you can't evaluate it due to the catch-22: The key usage flags are part of the signature itself and to check the signature you need to have the usage flags. For the primary key this is not a problem because it implicitly has certification usage. We are currently testing a patch but are also considering to disallow certification from subkeys at all. > Please adjust the affected versions in the BTS as needed. Can you > clarify if this affects as well way back to STABLE-BRANCH-1-4? We won't do any large change to 1.4 and may eventually remove smart card support from 1.4 - it is anyway very limited when not used with 2.2 gpg-agent and even then it does not support everything we have in 2.2 Salam-Shalom, Werner p.s. I am bit wondering whether escalating this bug report (https://dev.gnupg.org/T3844) via a CVE was a sensible strategy. -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Description: PGP signature