mirror of
https://codeberg.org/openpgp/notes.git
synced 2024-11-30 03:22:06 +01:00
clarify enumeration of legitimate unbound packets
This is supposed to be a list of legitimate uses. I've removed the elaboration of the flooding problem, and replaced it with a link to an elaboration in ch4.
This commit is contained in:
parent
2580ae317d
commit
e05f104974
1 changed files with 2 additions and 3 deletions
|
@ -76,12 +76,11 @@ To safeguard against unauthorized additions, OpenPGP uses cryptographic signatur
|
||||||
Conversely, omissions of packets by third parties can easily occur when handling an OpenPGP certificate dataset. This could pose a challenge, for example, when an attacker deliberately omits revocation packets. Without access to an alternative, complete certificate source, recipients might not detect these omissions.
|
Conversely, omissions of packets by third parties can easily occur when handling an OpenPGP certificate dataset. This could pose a challenge, for example, when an attacker deliberately omits revocation packets. Without access to an alternative, complete certificate source, recipients might not detect these omissions.
|
||||||
```
|
```
|
||||||
|
|
||||||
However, there are instances – legitimate and malicious – in which third parties add "unbound" packets (i.e., not signed by the certificate's owner) to a certificate:
|
However, there are legitimate instances in which third parties add "unbound" packets (i.e., not signed by the certificate's owner) to a certificate:
|
||||||
|
|
||||||
- [Third-party certifications](third_party_cert) are often stored within the packet data of the certificate to which they are related.This is a standard practice that provides convenience for users by allowing easy access to all relevant certifications. However, in systems that unconditionally accept these certifications, it can lead to unintended consequences. Specifically, this approach has been exploited to cause denial-of-service attacks through [certificate flooding](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html), a problem notably experienced by the SKS network of OpenPGP servers.
|
- [Third-party certifications](third_party_cert) are often stored within the packet data of the certificate to which they are related. This is a standard practice that provides convenience for users by allowing easy access to all relevant certifications. (See {ref}`cert-flooding` for discussion of a related pitfall.)
|
||||||
- OpenPGP software may locally append [unbound identity data](unbound_user_ids) to a certificate.
|
- OpenPGP software may locally append [unbound identity data](unbound_user_ids) to a certificate.
|
||||||
|
|
||||||
|
|
||||||
(bind_subkey)=
|
(bind_subkey)=
|
||||||
### Binding subkeys to a certificate
|
### Binding subkeys to a certificate
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue