Created gnupg2 tracking bugs for this issue:
Affects: fedora-all [bug 1563931]
Created gnupg tracking bugs for this issue:
Affects: fedora-all [bug 1563932]
Comment 3Huzaifa S. Sidhpurwala
2018-04-06 04:03:20 UTC
Analysis:
Normally master keys are more protected than signing or encryption subkeys. Since master key can actually be used to prove someone's identity. Subkeys on other hand can you used to sign/verify and encrypt/decrypt messages in place of the master keys. However the procedure of signing someones keys requires the master key. The flaw allows the signing subkey to sign someones keys, without the use of the master key, when smartcards are used. This seems to be only a minor security bypass, since technically subkeys also need to have some form of security around them.