Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 01 Sep 2014 22:44:10 +0200
From: Werner Koch <wk@...pg.org>
To: Kristian Fiskerstrand <kristian.fiskerstrand@...ptuouscapital.com>
Cc: oss-security@...ts.openwall.com,  pkg-gnupg-maint@...ts.alioth.debian.org
Subject: Re: gpg blindly imports keys from keyserver responses

On Mon,  1 Sep 2014 20:41, kristian.fiskerstrand@...ptuouscapital.com
said:

> My personal opinion is this is expected behavior as the keyservers are
> not trusted, and as you point out above, there are proper measures

I fully agree with your opinion.  If we would have rejected the patch we
would not have run into this mess.  I agreed to add the patch because it
won't harm and had to find out that it costed me about 3 days to get the
regressions fixed :-(.  And now theses funny complaints that it is
unsafe to import arbitrary keys.

I recall mail clients which always imported attached keys - not a bad
thing.  S/MIME works the same.  One could debate whether such
automatically imported keys may eventuallt expire from the keyring but
this is orthogonal to the issues at hand.

*gpgv* is the tool to verify signatures using a well defined set of
keys.  It has been written exactly for that purpose.  *gpg* requires
that you use one of the available trust models - presence of a key in
the keyring is not such a model.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ