BUG: Web of trust circumvention by secret key distribution
L. Sassaman
rabbi at quickie.net
Tue Dec 12 01:02:38 CET 2000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11 Dec 2000, Florian Weimer wrote:
> Could you have a second look at the attack? If PGP works the way you
> told, I don't see why PGP isn't vulnerable, too (under the assumption
> that the public key import routines more-or-less silently import
> secret keys as well). The attack adds another secret key which forces
> GnuPG to consider the corresponding public key ultimately trusted.
When you import a secret key into PGP, the key is *not* ultimately
trusted. It is not trusted at all. You must manually set the trust on the
key.
And the imports of secret keys are not quiet: they say something like "One
or more of the keys you have imported is a secret key. You will need to
set the trust level for that key."
__
L. Sassaman
Security Architect | "The world's gone crazy,
Technology Consultant | and it makes no sense..."
|
http://sion.quickie.net | --Sting
-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.
iD8DBQE6Nem6PYrxsgmsCmoRAqhsAKCu7Ljh0b+dktAjSFDssTCBGeEamQCeLw15
WTltHjtotAdEi10BVG7ducI=
=bgL6
-----END PGP SIGNATURE-----
More information about the Gnupg-devel
mailing list