subkey binding signature with no usage flags
Robert J. Hansen
rjh at sixdemonbag.org
Sat Sep 14 18:26:54 CEST 2013
On 9/14/2013 11:44 AM, Daniel Kahn Gillmor wrote:
> This is a security vulnerability because it exposes messages that
> should be confidential to decryption by keys that are not intended or
> designated for that purpose.
You have not discovered a security vulnerability in either GnuPG or SKS.
You have discovered that users who are not as clever as they think can
use the --expert flag to do foolish things, and that some of these
foolish things have consequences attached.
To this, all I can say is I hope the GnuPG developers triage this as
NOTABUG and WONTFIX.
More information about the Gnupg-devel