BUG: Web of trust circumvention by secret key distribution

Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE
Thu Dec 7 10:26:45 CET 2000

This is just some more stuff from the 'cracking GnuPG by cheating'

GnuPG accepts secret keys from key servers.  This means that a secret
key can be added to the secret key ring without user intervention,
making the corresponding public key ultimately trusted and thus
effectively circumventing the web of trust.  (GnuPG has the additional
feature that the key becomes ultimately trusted only after a program
restart, so you will see the 'Could not find a valid trust path to the
key.' message once, but this is worse enough.)

A similiar problem exists with "--import".  IMHO, a separate
"--import-secret-key" option is needed, and secret keys downloaded
from key servers should be discarded.

Florian Weimer 	                  Florian.Weimer at RUS.Uni-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

More information about the Gnupg-devel mailing list