Hal Finney writes:
Werner Koch, <wk(_at_)isil(_dot_)d(_dot_)shuttle(_dot_)de>, writes:
From section 5.2.3.1:
Bit 7 of the subpacket type is the "critical" bit. If set, it
denotes that the subpacket is one that is critical for the evaluator
of the signature to recognize. If a subpacket is encountered that
is marked critical but is unknown to the evaluating software, the
evaluator SHOULD consider the signature to be in error.
Can we restrict the SHOULD to hashed subpackets? Otherwise it is
easy to invalidate a signature by setting the critical bit in a
unhashed subpacket.
If I create a signature and set the critical bit on an unhashed packet,
it means that I want you to understand that packet before you accept
the signature. So in this case it is my desire that the signature should
be invalidated if you don't understand the packet.
If an attacker tries to make a signature invalid by adding an unhashed
packet with the critical bit set, he could have just as easily modified
some part of the hashed region, or the signature itself.
I agree with this; however, the converse is a problem. If you make an
unhashed packet critical, an attacker can turn the critical bit off without
invalidating the security; this means that critical bits cannot be relied
upon, and as such should not be part of the signature validation procedure.
I would suggest that critical bits only be supported in hashed subpackets.
- Tim