Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 1 Sep 2014 20:16:36 +0000
From: mancha <>
Subject: Re: gpg blindly imports keys from keyserver responses

On Mon, Sep 01, 2014 at 10:05:11PM +0200, Kristian Fiskerstrand wrote:
> On 09/01/2014 09:43 PM, mancha wrote:
> > On Mon, Sep 01, 2014 at 08:41:10PM +0200, Kristian Fiskerstrand
> > wrote:
> >> 
> >> My personal opinion is this is expected behavior as the
> >> keyservers are not trusted, and as you point out above, there are
> >> proper measures that should be used that invalidate this as an
> >> attack vector, i.e. by performing proper key verification.
> > 
> > Hi.
> > 
> > Isn't it the opposite? Were key servers fully trusted I'd agree 
> > "expected behavior" would be to blindly import the server's reply.
> > 
> > However, the lack of trustworthiness of keyservers is precisely why
> > the check is relevant.
> I'd consider it security hardening and not a vulnerability.

I wasn't weighing in on whether the change be considered a vulnerability
fix or a hardening feature (which are usually deemed CVE unworthy).

My objection was to the characterization as "expected behavior".


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.