Date: Thu, 25 Jul 2013 14:05:44 +0200 From: Yves-Alexis Perez <corsac@...ian.org> To: kseifried@...hat.com Cc: oss-security@...ts.openwall.com Subject: Re: CVE Request: evolution mail client GPG key selection issue On jeu., 2013-07-25 at 02:46 -0600, Kurt Seifried wrote: > Yeah this was discussed internally a bit at Red Hat after you filed > the bug, it's a messy problem. I think one concern was where do you > want to place policy decisions for key usage and trust, in GPG, in the > app using it, or something else? Indeed, it's a messy one, and having to parse gpg output doesn't help establishing boundaries. > One concern I have is I sometimes > used to (not any more!) download all the signing keys for keys I was > using to see if I could establish a web of trust. Of course anyone can > sign someone elses key and upload that to the public key servers, so > then the potential for grabbing a key from a bad guy increases > significantly. Indeed. I seem to recall (but I'm not sure though) there was a mode to automatically download keys for encryption (or maybe signature verification). > > Any ways for evolutions please use CVE-2013-4166 for this issue. Has > anyone checked other popular mail clients like thunderbird/mutt/etc? Mutt (at least mutt-patched package in Debian) seems to run a full search and then present the user the whole list of uids (with keyids, name, comment and email details) for him to select, which looks like a good idea. Regards, -- Yves-Alexis Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.