Linux Format

Cross certificat­ion


There is a vulnerabil­ity where a public subkey could be attached to another certificat­e whose owner could then claim to have signed a document. To prevent such a scenario occurring, GnuPG now checks that signing keys are crosscerti­fied before verifying signatures. Cross certificat­ion requires that subkeys sign the primary key to prove their authentici­ty. These “back” or “binding” signatures are embedded within the self-certificat­ion signatures that GnuPG adds to the signing subkeys – you can’t see them with --list-sigs.

Older versions of GnuPG or other OpenPGP applicatio­ns may not have this feature and signing subkeys generated with these applicatio­ns may lack the required binding signatures. Owners of such keys can resolve this with the cross-certify command available in the key editing mode of the latest gpg.

You can read the official explanatio­n at www.

Newspapers in English

Newspapers from Australia