Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 25 Jul 2013 14:05:44 +0200
From: Yves-Alexis Perez <>
Subject: Re: CVE Request: evolution mail client GPG key
 selection issue

On jeu., 2013-07-25 at 02:46 -0600, Kurt Seifried wrote:
> Yeah this was discussed internally a bit at Red Hat after you filed
> the bug, it's a messy problem. I think one concern was where do you
> want to place policy decisions for key usage and trust, in GPG, in the
> app using it, or something else?

Indeed, it's a messy one, and having to parse gpg output doesn't help
establishing boundaries.

>  One concern I have is I sometimes
> used to (not any more!) download all the signing keys for keys I was
> using to see if I could establish a web of trust. Of course anyone can
> sign someone elses key and upload that to the public key servers, so
> then the potential for grabbing a key from a bad guy increases
> significantly.

Indeed. I seem to recall (but I'm not sure though) there was a mode to
automatically download keys for encryption (or maybe signature

> Any ways for evolutions please use CVE-2013-4166 for this issue. Has
> anyone checked other popular mail clients like thunderbird/mutt/etc? 

Mutt (at least mutt-patched package in Debian) seems to run a full
search and then present the user the whole list of uids (with keyids,
name, comment and email details) for him to select, which looks like a
good idea.


Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.