v3 subkeys and signatures
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sun Jun 24 07:10:42 CEST 2012
On 06/23/2012 04:41 PM, David Shaw wrote:
> Yes, this makes sense. GPG won't generate a subkey on a V3 key (or a V3 subkey at all), but might accept them if generated elsewhere. So you had to patch things to make the key, but no patch is needed to use the key.
Of course, the opportunity for compromise comes when a victim *uses* of
the key, not from its creation. So while i appreciate the refusal of
GPG to generate these keys (which means one less tool available to an
attacker for the creation of the colliding key), it doesn't really
address the fact that users of GPG are at risk if they deal with keys
generated elsewhere.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120624/58a6b4b9/attachment.pgp>
More information about the Gnupg-devel
mailing list