[Pkg-gnupg-maint] [oss-security] gpg blindly imports keys from keyserver responses
Werner Koch
wk at gnupg.org
Mon Sep 1 20:44:10 UTC 2014
On Mon, 1 Sep 2014 20:41, kristian.fiskerstrand at sumptuouscapital.com
said:
> My personal opinion is this is expected behavior as the keyservers are
> not trusted, and as you point out above, there are proper measures
I fully agree with your opinion. If we would have rejected the patch we
would not have run into this mess. I agreed to add the patch because it
won't harm and had to find out that it costed me about 3 days to get the
regressions fixed :-(. And now theses funny complaints that it is
unsafe to import arbitrary keys.
I recall mail clients which always imported attached keys - not a bad
thing. S/MIME works the same. One could debate whether such
automatically imported keys may eventuallt expire from the keyring but
this is orthogonal to the issues at hand.
*gpgv* is the tool to verify signatures using a well defined set of
keys. It has been written exactly for that purpose. *gpg* requires
that you use one of the available trust models - presence of a key in
the keyring is not such a model.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Pkg-gnupg-maint
mailing list