oss-sec mailing list archives
Re: CVE Request: evolution mail client GPG key selection issue
From: Yves-Alexis Perez <corsac () debian org>
Date: Thu, 25 Jul 2013 14:05:44 +0200
On jeu., 2013-07-25 at 02:46 -0600, Kurt Seifried wrote:
Yeah this was discussed internally a bit at Red Hat after you filed the bug, it's a messy problem. I think one concern was where do you want to place policy decisions for key usage and trust, in GPG, in the app using it, or something else?
Indeed, it's a messy one, and having to parse gpg output doesn't help establishing boundaries.
One concern I have is I sometimes used to (not any more!) download all the signing keys for keys I was using to see if I could establish a web of trust. Of course anyone can sign someone elses key and upload that to the public key servers, so then the potential for grabbing a key from a bad guy increases significantly.
Indeed. I seem to recall (but I'm not sure though) there was a mode to automatically download keys for encryption (or maybe signature verification).
Any ways for evolutions please use CVE-2013-4166 for this issue. Has anyone checked other popular mail clients like thunderbird/mutt/etc?
Mutt (at least mutt-patched package in Debian) seems to run a full search and then present the user the whole list of uids (with keyids, name, comment and email details) for him to select, which looks like a good idea. Regards, -- Yves-Alexis
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- CVE Request: evolution mail client GPG key selection issue Yves-Alexis Perez (Jul 21)
- Re: CVE Request: evolution mail client GPG key selection issue Kurt Seifried (Jul 25)
- Re: CVE Request: evolution mail client GPG key selection issue Yves-Alexis Perez (Jul 25)
- Re: CVE Request: evolution mail client GPG key selection issue Daniel Kahn Gillmor (Jul 25)
- Re: CVE Request: evolution mail client GPG key selection issue Kurt Seifried (Jul 25)
- Re: CVE Request: evolution mail client GPG key selection issue Daniel Kahn Gillmor (Jul 25)
- Re: CVE Request: evolution mail client GPG key selection issue Kurt Seifried (Jul 25)
- Re: CVE Request: evolution mail client GPG key selection issue Daniel Kahn Gillmor (Jul 25)
- Re: CVE Request: evolution mail client GPG key selection issue Kurt Seifried (Jul 25)