oss-sec mailing list archives
Re: gpg blindly imports keys from keyserver responses
From: Werner Koch <wk () gnupg org>
Date: Mon, 01 Sep 2014 22:44:10 +0200
On Mon, 1 Sep 2014 20:41, kristian.fiskerstrand () sumptuouscapital com said:
My personal opinion is this is expected behavior as the keyservers are not trusted, and as you point out above, there are proper measures
I fully agree with your opinion. If we would have rejected the patch we would not have run into this mess. I agreed to add the patch because it won't harm and had to find out that it costed me about 3 days to get the regressions fixed :-(. And now theses funny complaints that it is unsafe to import arbitrary keys. I recall mail clients which always imported attached keys - not a bad thing. S/MIME works the same. One could debate whether such automatically imported keys may eventuallt expire from the keyring but this is orthogonal to the issues at hand. *gpgv* is the tool to verify signatures using a well defined set of keys. It has been written exactly for that purpose. *gpg* requires that you use one of the available trust models - presence of a key in the keyring is not such a model. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Current thread:
- gpg blindly imports keys from keyserver responses Thijs Kinkhorst (Sep 01)
- Re: gpg blindly imports keys from keyserver responses Kristian Fiskerstrand (Sep 01)
- Re: gpg blindly imports keys from keyserver responses mancha (Sep 01)
- Re: gpg blindly imports keys from keyserver responses Kristian Fiskerstrand (Sep 01)
- Re: gpg blindly imports keys from keyserver responses mancha (Sep 01)
- Re: gpg blindly imports keys from keyserver responses mancha (Sep 01)
- Re: gpg blindly imports keys from keyserver responses Werner Koch (Sep 01)
- Re: gpg blindly imports keys from keyserver responses Kristian Fiskerstrand (Sep 01)
- Re: gpg blindly imports keys from keyserver responses Daniel Kahn Gillmor (Sep 01)