Re: CVE Request: evolution mail client GPG key selection issue

[Yves-Alexis Perez <corsac () debian org>]

On jeu., 2013-07-25 at 02:46 -0600, Kurt Seifried wrote:
> Yeah this was discussed internally a bit at Red Hat after you filed
> the bug, it's a messy problem. I think one concern was where do you
> want to place policy decisions for key usage and trust, in GPG, in the
> app using it, or something else?

Indeed, it's a messy one, and having to parse gpg output doesn't help
establishing boundaries.

>  One concern I have is I sometimes
> used to (not any more!) download all the signing keys for keys I was
> using to see if I could establish a web of trust. Of course anyone can
> sign someone elses key and upload that to the public key servers, so
> then the potential for grabbing a key from a bad guy increases
> significantly.

Indeed. I seem to recall (but I'm not sure though) there was a mode to
automatically download keys for encryption (or maybe signature
verification).

> Any ways for evolutions please use CVE-2013-4166 for this issue. Has
> anyone checked other popular mail clients like thunderbird/mutt/etc? 

Mutt (at least mutt-patched package in Debian) seems to run a full
search and then present the user the whole list of uids (with keyids,
name, comment and email details) for him to select, which looks like a
good idea.

Regards,
-- 
Yves-Alexis

Attachment: signature.asc
Description: This is a digitally signed message part