cross-certification
Dirk Traulsen
dirk.traulsen at lypso.de
Sun Aug 27 12:07:54 CEST 2006
Hi,
I had a look at cross-certification and found a few points.
1.
There is a typing error in the man page:
Index: doc/gpg.texi
===================================================================
--- doc/gpg.texi (Revision 4227)
+++ doc/gpg.texi (Arbeitskopie)
@@ -2178,7 +2178,7 @@
handing out the secret key.
@item --require-cross-certification
- at itemx --no-require-certification
+ at itemx --no-require-cross-certification
When verifying a signature made from a subkey, ensure that the cross
certification "back signature" on the subkey is present and valid.
This protects against a subtle attack against subkeys that can sign.
2.
When one issues the help command In the edit-key menu, there comes a list of commands. "cross-certify" is missing. I had a look at keyedit.c and the
non-listed commands are the short cuts and the aliases. So it doesn't seem to be a deliberate ommision. Here is a proposal for a text. (The only
other missing commands are delphoto and revphoto. Are they intentionally ommitted?)
Index: g10/keyedit.c
===================================================================
--- g10/keyedit.c (Revision 4227)
+++ g10/keyedit.c (Arbeitskopie)
@@ -1367,7 +1367,8 @@
{ "key" , cmdSELKEY , 0, N_("select subkey N") },
{ "check" , cmdCHECK , 0, N_("check signatures") },
{ "c" , cmdCHECK , 0, NULL },
- { "cross-certify", cmdBACKSIGN , KEYEDIT_NOT_SK|KEYEDIT_NEED_SK, NULL },
+ { "cross-certify", cmdBACKSIGN , KEYEDIT_NOT_SK|KEYEDIT_NEED_SK, N_("Add cross-certification signatures to signing subkeys") },
+ /* Alias */
{ "backsign", cmdBACKSIGN , KEYEDIT_NOT_SK|KEYEDIT_NEED_SK, NULL },
{ "sign" , cmdSIGN , KEYEDIT_NOT_SK|KEYEDIT_TAIL_MATCH,
N_("sign selected user IDs [* see below for related commands]") },
3.
When the option --require-cross-certification is given (and this will be default soon) and
the signing subkey is not cross-certified, the following message comes and gpg stops.
gpg: Signature made 08/22/06 10:02:04 using DSA key ID 0A77A149
gpg: WARNING: signing subkey 0A77A149 is not cross-certified
gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information
gpg: Can't check signature: general error
This seems a bit too harsh for me, especially when it will be default. The signature could
be ok. It's really good, that gpg gives a link to follow, but not everyone can be forced to
update its key. So a little help could be given for the ones who want to accept the risk.
My proposal would be:
gpg: Signature made 08/22/06 10:02:04 using DSA key ID 0A77A149
gpg: WARNING: signing subkey 0A77A149 is not cross-certified
gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information
gpg: The option --require-cross-certification is set.
gpg: To force signature check use option --no-require-cross-certification
gpg: Can't check signature: general error
Index: g10/sig-check.c
===================================================================
--- g10/sig-check.c (Revision 4227)
+++ g10/sig-check.c (Arbeitskopie)
@@ -112,6 +112,11 @@
error. TODO: change the default to require this
after more keys have backsigs. */
if(opt.flags.require_cross_cert)
+ /* The first log_info can be deleted, when
+ --require-cross-certification is default. */
+ log_info("The option --require-cross-certification is set.\n");
+ log_info("To force signature check use option --no-require-"
+ "cross-certification\n");
rc=G10ERR_GENERAL;
}
else if(pk->backsig==1)
4.
I had a key with a signing subkey on one computer. I cross-certified it, which worked fine.
Then I wanted to export and import it on another computer.
gpg did not import (merge) the new key, because:
gpg: key 12345678: already in secret keyring.
gpg did not recognize the new cross-certification. I had to delete the old key before
importing the new cross-certified one.
Dirk
More information about the Gnupg-devel
mailing list