Date: Mon, 01 Sep 2014 22:44:10 +0200 From: Werner Koch <wk@...pg.org> To: Kristian Fiskerstrand <kristian.fiskerstrand@...ptuouscapital.com> Cc: oss-security@...ts.openwall.com, pkg-gnupg-maint@...ts.alioth.debian.org Subject: Re: gpg blindly imports keys from keyserver responses On Mon, 1 Sep 2014 20:41, kristian.fiskerstrand@...ptuouscapital.com said: > My personal opinion is this is expected behavior as the keyservers are > not trusted, and as you point out above, there are proper measures I fully agree with your opinion. If we would have rejected the patch we would not have run into this mess. I agreed to add the patch because it won't harm and had to find out that it costed me about 3 days to get the regressions fixed :-(. And now theses funny complaints that it is unsafe to import arbitrary keys. I recall mail clients which always imported attached keys - not a bad thing. S/MIME works the same. One could debate whether such automatically imported keys may eventuallt expire from the keyring but this is orthogonal to the issues at hand. *gpgv* is the tool to verify signatures using a well defined set of keys. It has been written exactly for that purpose. *gpg* requires that you use one of the available trust models - presence of a key in the keyring is not such a model. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ