BUG: Web of trust circumvention by secret key distribution
L. Sassaman
rabbi at quickie.net
Thu Dec 7 01:59:32 CET 2000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Actually, a simpler solution would be to require that the user set the
implicit ultimate trust on the secret key manually, correct?
- --Len.
On 7 Dec 2000, Florian Weimer wrote:
> This is just some more stuff from the 'cracking GnuPG by cheating'
> department.
>
> GnuPG accepts secret keys from key servers. This means that a secret
> key can be added to the secret key ring without user intervention,
> making the corresponding public key ultimately trusted and thus
> effectively circumventing the web of trust. (GnuPG has the additional
> feature that the key becomes ultimately trusted only after a program
> restart, so you will see the 'Could not find a valid trust path to the
> key.' message once, but this is worse enough.)
>
> A similiar problem exists with "--import". IMHO, a separate
> "--import-secret-key" option is needed, and secret keys downloaded
> from key servers should be discarded.
>
> --
> Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE
> University of Stuttgart http://cert.uni-stuttgart.de/
> RUS-CERT +49-711-685-5973/fax +49-711-685-5898
>
__
L. Sassaman
Security Architect | "The world's gone crazy,
Technology Consultant | and it makes no sense..."
|
http://sion.quickie.net | --Sting
-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.
iD8DBQE6L1+MPYrxsgmsCmoRApcNAJ93GAVkQIo+jCt2Rd8u2oGhEuzO+ACfWiTs
4kSrhCvHEs6fPkIBeeSRcNA=
=m0c3
-----END PGP SIGNATURE-----
More information about the Gnupg-devel
mailing list