http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5775
------- Additional Comments From [EMAIL PROTECTED] 2008-01-09 15:31 ------- > So if an attacker can't fake the signature, then who cares? Maybe the threat is something like this, given that "The end result is that the signature can be verified by both the actual signer's key and the attacker's key": Alice signs her release of MalAssassin, which is going to be downloaded and verified by Bob. Eve uses this vulnerability to cause Alice's signatures of MalAssassin to verify against Eve's key, then convinces Bob that her key is a new one to be used for MalAssassin downloads. Bob uses Eve's key, has no problem verifying legitimate downloads of MalAssassin, and thus is fooled into using Eve's key to verify a malware download of MalAssassin that Eve has signed. And here is a stronger reason to cross-sign our key: Otherwise newer versions of GPG will produce the scary warning message quoted in this bug's Description when sa-update is run. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
