Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 1 Sep 2014 20:16:36 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Subject: Re: gpg blindly imports keys from keyserver responses

On Mon, Sep 01, 2014 at 10:05:11PM +0200, Kristian Fiskerstrand wrote:
> On 09/01/2014 09:43 PM, mancha wrote:
> > On Mon, Sep 01, 2014 at 08:41:10PM +0200, Kristian Fiskerstrand
> > wrote:
> >> 
> >> My personal opinion is this is expected behavior as the
> >> keyservers are not trusted, and as you point out above, there are
> >> proper measures that should be used that invalidate this as an
> >> attack vector, i.e. by performing proper key verification.
> > 
> > Hi.
> > 
> > Isn't it the opposite? Were key servers fully trusted I'd agree 
> > "expected behavior" would be to blindly import the server's reply.
> > 
> > However, the lack of trustworthiness of keyservers is precisely why
> > the check is relevant.
> 
> I'd consider it security hardening and not a vulnerability.
> 

I wasn't weighing in on whether the change be considered a vulnerability
fix or a hardening feature (which are usually deemed CVE unworthy).

My objection was to the characterization as "expected behavior".

--mancha

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ