From e05f10497424e30ed3af03c9e02c7efb1af927e6 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sat, 25 Nov 2023 14:01:50 +0100 Subject: [PATCH] clarify enumeration of legitimate unbound packets This is supposed to be a list of legitimate uses. I've removed the elaboration of the flooding problem, and replaced it with a link to an elaboration in ch4. --- book/source/08-signing_components.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/book/source/08-signing_components.md b/book/source/08-signing_components.md index f946716..2cd900b 100644 --- a/book/source/08-signing_components.md +++ b/book/source/08-signing_components.md @@ -76,12 +76,11 @@ To safeguard against unauthorized additions, OpenPGP uses cryptographic signatur Conversely, omissions of packets by third parties can easily occur when handling an OpenPGP certificate dataset. This could pose a challenge, for example, when an attacker deliberately omits revocation packets. Without access to an alternative, complete certificate source, recipients might not detect these omissions. ``` -However, there are instances – legitimate and malicious – in which third parties add "unbound" packets (i.e., not signed by the certificate's owner) to a certificate: +However, there are legitimate instances in which third parties add "unbound" packets (i.e., not signed by the certificate's owner) to a certificate: -- [Third-party certifications](third_party_cert) are often stored within the packet data of the certificate to which they are related.This is a standard practice that provides convenience for users by allowing easy access to all relevant certifications. However, in systems that unconditionally accept these certifications, it can lead to unintended consequences. Specifically, this approach has been exploited to cause denial-of-service attacks through [certificate flooding](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html), a problem notably experienced by the SKS network of OpenPGP servers. +- [Third-party certifications](third_party_cert) are often stored within the packet data of the certificate to which they are related. This is a standard practice that provides convenience for users by allowing easy access to all relevant certifications. (See {ref}`cert-flooding` for discussion of a related pitfall.) - OpenPGP software may locally append [unbound identity data](unbound_user_ids) to a certificate. - (bind_subkey)= ### Binding subkeys to a certificate