[Announce] GnuPG does not detect injection of unsigned data
David Shaw
dshaw at jabberwocky.com
Fri Mar 10 00:20:26 CET 2006
On Thu, Mar 09, 2006 at 05:55:43PM -0500, vedaal at hush.com wrote:
> in the announcement of the fix for this condition
> on the gnupg announce list, it says the following:
>
> =====[ begin quoted text ]=====
>
> The only correct solution to this problem is to get rid of the
> feature
> to check concatenated signatures - this allows for strict checking
> of
> valid packet composition. This is what has been done in 1.4.2.2
> and
> in the forthcoming 1.4.3rc2. These versions accept signatures only
> if
> they are composed of
>
> O + D + S
> S + D
>
> =====[ end quoted text ]=====
>
> am not sure of the difference between concatenated signatures
> and double-signed signatures
>
> double signed signatures are still allowed in 1.4.2.2 and still
> verified
That is legal. Using the same notation as before, that is:
O + O + D + S + S
David
More information about the Gnupg-users
mailing list