On Thu,  5 Apr 2018 22:49, car...@debian.org said:

> CVE-2018-9234[0]:
> | GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key
> | certification requires an offline master Certify key, which results in
> | apparently valid certifications that occurred only with access to a
> | signing subkey.

That is more a description of an unspecified behaviour of OpenPGP. It is
From the specs not clear whether a subkey shall be able to certify a a
userid or a subkey.

The problem which such a certification from a subkey is that you can't
evaluate it due to the catch-22: The key usage flags are part of the
signature itself and to check the signature you need to have the usage
flags.  For the primary key this is not a problem because it implicitly
has certification usage.

We are currently testing a patch but are also considering to disallow
certification from subkeys at all.

> Please adjust the affected versions in the BTS as needed. Can you
> clarify if this affects as well way back to STABLE-BRANCH-1-4?

We won't do any large change to 1.4 and may eventually remove smart card
support from 1.4 - it is anyway very limited when not used with 2.2
gpg-agent and even then it does not support everything we have in 2.2



I am bit wondering whether escalating this bug report
(https://dev.gnupg.org/T3844) via a CVE was a sensible strategy.

#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

Attachment: pgpZANs2lvu_L.pgp
Description: PGP signature

Reply via email to