Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 25 Jul 2013 14:05:44 +0200
From: Yves-Alexis Perez <corsac@...ian.org>
To: kseifried@...hat.com
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE Request: evolution mail client GPG key
 selection issue

On jeu., 2013-07-25 at 02:46 -0600, Kurt Seifried wrote:
> Yeah this was discussed internally a bit at Red Hat after you filed
> the bug, it's a messy problem. I think one concern was where do you
> want to place policy decisions for key usage and trust, in GPG, in the
> app using it, or something else?

Indeed, it's a messy one, and having to parse gpg output doesn't help
establishing boundaries.

>  One concern I have is I sometimes
> used to (not any more!) download all the signing keys for keys I was
> using to see if I could establish a web of trust. Of course anyone can
> sign someone elses key and upload that to the public key servers, so
> then the potential for grabbing a key from a bad guy increases
> significantly.

Indeed. I seem to recall (but I'm not sure though) there was a mode to
automatically download keys for encryption (or maybe signature
verification).

> 
> Any ways for evolutions please use CVE-2013-4166 for this issue. Has
> anyone checked other popular mail clients like thunderbird/mutt/etc? 

Mutt (at least mutt-patched package in Debian) seems to run a full
search and then present the user the whole list of uids (with keyids,
name, comment and email details) for him to select, which looks like a
good idea.

Regards,
-- 
Yves-Alexis

Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.