clarify enumeration of legitimate unbound packets

This is supposed to be a list of legitimate uses. I've removed the elaboration of the flooding problem, and replaced it with a link to an elaboration in ch4.
This commit is contained in:
Heiko Schaefer 2023-11-25 14:01:50 +01:00
parent 2580ae317d
commit e05f104974
No known key found for this signature in database
GPG key ID: DAE9A9050FCCF1EB

View file

@ -76,12 +76,11 @@ To safeguard against unauthorized additions, OpenPGP uses cryptographic signatur
Conversely, omissions of packets by third parties can easily occur when handling an OpenPGP certificate dataset. This could pose a challenge, for example, when an attacker deliberately omits revocation packets. Without access to an alternative, complete certificate source, recipients might not detect these omissions. Conversely, omissions of packets by third parties can easily occur when handling an OpenPGP certificate dataset. This could pose a challenge, for example, when an attacker deliberately omits revocation packets. Without access to an alternative, complete certificate source, recipients might not detect these omissions.
``` ```
However, there are instances legitimate and malicious in which third parties add "unbound" packets (i.e., not signed by the certificate's owner) to a certificate: However, there are legitimate instances in which third parties add "unbound" packets (i.e., not signed by the certificate's owner) to a certificate:
- [Third-party certifications](third_party_cert) are often stored within the packet data of the certificate to which they are related.This is a standard practice that provides convenience for users by allowing easy access to all relevant certifications. However, in systems that unconditionally accept these certifications, it can lead to unintended consequences. Specifically, this approach has been exploited to cause denial-of-service attacks through [certificate flooding](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html), a problem notably experienced by the SKS network of OpenPGP servers. - [Third-party certifications](third_party_cert) are often stored within the packet data of the certificate to which they are related. This is a standard practice that provides convenience for users by allowing easy access to all relevant certifications. (See {ref}`cert-flooding` for discussion of a related pitfall.)
- OpenPGP software may locally append [unbound identity data](unbound_user_ids) to a certificate. - OpenPGP software may locally append [unbound identity data](unbound_user_ids) to a certificate.
(bind_subkey)= (bind_subkey)=
### Binding subkeys to a certificate ### Binding subkeys to a certificate