[Pkg-gnupg-maint] [oss-security] gpg blindly imports keys from keyserver responses
mancha
mancha1 at zoho.com
Mon Sep 1 19:43:58 UTC 2014
On Mon, Sep 01, 2014 at 08:41:10PM +0200, Kristian Fiskerstrand wrote:
>
> My personal opinion is this is expected behavior as the keyservers are
> not trusted, and as you point out above, there are proper measures
> that should be used that invalidate this as an attack vector, i.e. by
> performing proper key verification.
Hi.
Isn't it the opposite? Were key servers fully trusted I'd agree
"expected behavior" would be to blindly import the server's reply.
However, the lack of trustworthiness of keyservers is precisely why the
check is relevant.
Note: it is not being suggested this check be considered a replacement
for full key verification. But, it is not unreasonable for a user to
expect when instructing gpg to import a key with FP 0xf00 that the gpg
binary is indeed importing a key with FP 0xf00.
--mancha
PS Thijs' email signature verified for me using mutt. What is your email
client-side configuration?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20140901/bb34e4d0/attachment.sig>
More information about the Pkg-gnupg-maint
mailing list