BUG: --keyserver option may compromise anonymity

Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE
Mon Dec 18 18:50:52 CET 2000

According to the GNU Privacy Handbook, the --keyserver is only taken
into account if a --send-keys or --recv-keys option is present as

| This option is used in conjunction with either 
| <link linkend="recv-keys"><option>recv-keys</option></link> or 
| <link linkend="send-keys"><option>send-keys</option></link> to specify a
| keyserver to manage public key distribution.

This is not the whole story.  Although there's a comment at the top of
hkp_ask_import() mentioning user interaction, I've never seen GnuPG
asking before doing a HKP request when verifying signatures.

 * Try to import the key with KEYID from a keyserver but ask the user
 * before doing so.
 * Returns: 0 the key was successfully imported
 *	    -1 key not found on server or user does not want to
 *	       import the key
 *	    or other error codes.
hkp_ask_import( u32 *keyid )

While the current approach is convenient for many (most?) people, it
can lead to anonymity compromise when GnuPG is used to decrypt (and
verify) a message send via anonymous remailers.

Either the code should be fixed, or this issue should be documented.
(Probably both.)

Florian Weimer 	                  Florian.Weimer at RUS.Uni-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

More information about the Gnupg-devel mailing list