[pkg-gnupg-maint] Bug#802100: gnupg should fetch keys using hkps by default
Antoine Amarilli
a3nm at a3nm.net
Sat Oct 17 14:31:22 UTC 2015
Package: gnupg
Version: 1.4.19-5
Severity: wishlist
Dear Maintainer,
By default, gpg requests keys using HKP server <keys.gnupg.net>. This allows a
passive attacker to obtain information about the keys requested by the user,
which may be harmful in terms of privacy.
I think that gpg should be using an HKPS server by default. See e.g.,
<https://help.riseup.net/en/security/message-security/openpgp/best-practices#use-the-sks-keyserver-pool-instead-of-one-specific-server-with-secure-connections>
See also a similar bug for dirmngr:
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784286>.
Best regards,
--
Antoine Amarilli
-- System Information:
Debian Release: stretch/sid
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages gnupg depends on:
ii gpgv 1.4.19-5
ii libbz2-1.0 1.0.6-8
ii libc6 2.19-22
ii libreadline6 6.3-8+b3
ii libusb-0.1-4 2:0.1.12-27
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages gnupg recommends:
ii gnupg-curl 1.4.19-5
ii libldap-2.4-2 2.4.42+dfsg-2
Versions of packages gnupg suggests:
ii eog 3.18.0-1
pn gnupg-doc <none>
ii imagemagick 8:6.8.9.9-6
ii libpcsclite1 1.8.14-1
ii parcimonie 0.9-3
-- debconf-show failed
More information about the pkg-gnupg-maint
mailing list