Date: Mon, 1 Sep 2014 20:16:36 +0000 From: mancha <mancha1@...o.com> To: oss-security@...ts.openwall.com Subject: Re: gpg blindly imports keys from keyserver responses On Mon, Sep 01, 2014 at 10:05:11PM +0200, Kristian Fiskerstrand wrote: > On 09/01/2014 09:43 PM, mancha wrote: > > On Mon, Sep 01, 2014 at 08:41:10PM +0200, Kristian Fiskerstrand > > wrote: > >> > >> My personal opinion is this is expected behavior as the > >> keyservers are not trusted, and as you point out above, there are > >> proper measures that should be used that invalidate this as an > >> attack vector, i.e. by performing proper key verification. > > > > Hi. > > > > Isn't it the opposite? Were key servers fully trusted I'd agree > > "expected behavior" would be to blindly import the server's reply. > > > > However, the lack of trustworthiness of keyservers is precisely why > > the check is relevant. > > I'd consider it security hardening and not a vulnerability. > I wasn't weighing in on whether the change be considered a vulnerability fix or a hardening feature (which are usually deemed CVE unworthy). My objection was to the characterization as "expected behavior". --mancha [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ