ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Embedded TPK subpacket

2019-03-25 07:27:19
On 3/25/19 11:48 AM, Justus Winter wrote:
Can you clarify what keys are allowed as embedded TPKs?  Just the
signing key for that signature, or arbitrary keys?

Arbitrary keys.

If the latter (for example to allow more use cases such as key
rollover), then the new subpacket would be the first subpacket not to
have any relationship to the signature it is contained in, which would
be awkward.

Really?  Plenty of signature subpackets deal with keys, user
preferences, or can simply contain arbitrary data (notations).

I haven't done an exhaustive analysis, but on a first glance those seem
to be related to the signature. For example, user preferences are part
of binding signatures.

It would also potentially allow interesting attack vectors (injecting
arbitrary keyring data).

GnuPG's keyring is uncurated, and it uses trust models to compute the
validity of userid,key-bindings.  Similar, Sequoia's keystore can
contain keys that have no bindings.

GnuPG's keyring was very helpful in my enigmail signature spoofing
attack [1]. Just saying :)

[1] https://neopg.io/blog/enigmail-signature-spoof

Thanks,
Marcus

-- 
Dipl.-Math. Marcus Brinkmann

Lehrstuhl für Netz- und Datensicherheit
Ruhr Universität Bochum
Universitätsstr. 150, Geb. ID 2/461
D-44780 Bochum

Telefon: +49 (0) 234 / 32-25030
http://www.nds.rub.de/chair/people/mbrinkmann

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread] Current Thread [Next in Thread>