x/crypto/openpgp: cross-certification signatures not verified #10740
Description
go version devel +aebd123 Thu May 7 01:24:27 2015 +0000 darwin/amd64
The openpgp code needs additional checks around signatures made on signing subkeys. In particular, verifying embedded signatures (i.e., back or cross signatures made by a signing subkey on the primary key) is a required check for rfc4880, and avoids the problems mentioned at https://www.gnupg.org/faq/subkey-cross-certify.html
(Section 11.1 from the RFC also has the "must" requirements for validating signing subkeys.)