http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5775
------- Additional Comments From [EMAIL PROTECTED] 2008-01-09 15:09 ------- Maybe I'm missing something here (it does say this is a subtle issue), but ... sa-update doesn't care about signed keys, just that the key which signed the file is in the list of "trusted keys" as given to it. so cross-signing doesn't change anything for us. Also: "This does not mean that an attacker can issue signatures pretending to be someone else: the attacker cannot issue any signatures from that subkey, as all they have is the public half. The only thing this allows an attacker to do is to take an existing signature issued by a signing subkey, and claim that it was issued by the attacker's own key. The end result is that the signature can be verified by both the actual signer's key and the attacker's key." So if an attacker can't fake the signature, then who cares? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
