Date: Mon, 1 Sep 2014 19:43:58 +0000 From: mancha <mancha1@...o.com> To: oss-security@...ts.openwall.com Cc: Werner Koch <wk@...pg.org>, pkg-gnupg-maint@...ts.alioth.debian.org Subject: Re: gpg blindly imports keys from keyserver responses On Mon, Sep 01, 2014 at 08:41:10PM +0200, Kristian Fiskerstrand wrote: > > My personal opinion is this is expected behavior as the keyservers are > not trusted, and as you point out above, there are proper measures > that should be used that invalidate this as an attack vector, i.e. by > performing proper key verification. Hi. Isn't it the opposite? Were key servers fully trusted I'd agree "expected behavior" would be to blindly import the server's reply. However, the lack of trustworthiness of keyservers is precisely why the check is relevant. Note: it is not being suggested this check be considered a replacement for full key verification. But, it is not unreasonable for a user to expect when instructing gpg to import a key with FP 0xf00 that the gpg binary is indeed importing a key with FP 0xf00. --mancha PS Thijs' email signature verified for me using mutt. What is your email client-side configuration? Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.