subkey binding signature with no usage flags and/or a critical notation

Daniel Kahn Gillmor dkg at
Wed Mar 13 22:30:36 CET 2013

On 03/13/2013 07:22 AM, Christian Aistleitner wrote:

> With GnuPG 2.0.19, this signature is considered a bad signature. It
> says so, when trying to import the key:

Ah, interesting.  Thanks for pointing this out.  I was only looking at
it from the keyring which generated the subkey binding signature in the
first place.

When i gpg --import with 1.4.12, i see something similar to what you see:

0 dkg at alice:~/src/gnupg/usage-tests$ chmod 0700 x
0 dkg at alice:~/src/gnupg/usage-tests$ export GNUPGHOME=x
0 dkg at alice:~/src/gnupg/usage-tests$ gpg --import < example.key
gpg: keyring `x/secring.gpg' created
gpg: keyring `x/pubring.gpg' created
gpg: assuming bad signature from key C9A3FA35 due to an unknown critical bit
gpg: x/trustdb.gpg: trustdb created
gpg: key C9A3FA35: public key "test key with dsa subkey" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
0 dkg at alice:~/src/gnupg/usage-tests$ gpg --edit-key test
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  1024R/C9A3FA35  created: 2013-03-05  expires: 2013-04-04  usage: SC
                     trust: unknown       validity: unknown
sub   512D/48B80074  created: 2013-03-07  expires: 2013-04-06  usage: SCA
sub   768D/5BA8B581  created: 2013-03-12  expires: 2013-03-19  usage: SCA
[ unknown] (1). test key with dsa subkey


>>  * what should GnuPG do when presented with a subkey binding signature
>>    with an all-zero usage flags subpacket?
> RFC 4880, §
>    If a
>    list is shorter than an implementation expects, the unstated flags
>    are considered to be zero.
> Although this sentence comes with a vague precondition of the
> implementation expecting something, I'd nevertheless interpret a key
> flags subpacket being all-zero, as signalling that this key should
> /not/ be used for signing, encrypting, ...

So there might be three cases (setting aside the notation business for
the moment):

 0) the first case has no key usage flags subpacket at all -- this might
be a legacy key, for example, before the usage flag subpacket existed.

 1) a key usage flags subpacket exists, but is 0 octets

 2) a key usage flags subpacket exists, is 1 octet in length, with a
value of 0x00.

I think gpg is definitely doing the wrong thing with case 2. I think
it's doing the right thing with case 0, and i haven't managed to test
case 1 yet (i think case 1 should properly be handled like case 2 based
on the section you quote above.

>>  * (less importantly) should GnuPG be able to generate such a subkey
>>    binding signature?
> If it's hidden behind --expert, I would not mind. However, I do not
> see a really compelling use case for allowing to generate such a
> key. Well, maybe the OTR usage you mentioned on the IETF mailing list
> just is such a use case :-)

that's why i'm asking :)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130313/aec98793/attachment.sig>

More information about the Gnupg-devel mailing list