[PATCH 3/3 v2] filter and verify keyserver responses
John Clizbe
John at enigmail.net
Mon Sep 16 00:20:29 CEST 2013
Stefan Tomanek wrote:
> This changes introduces import functions that apply a constraining
> filter to imported keys. These filters can verify the fingerprints of
> the keys returned before importing them into the keyring, ensuring that
> the keys fetched from the keyserver are in fact those selected by the
> user beforehand.
IIRC, gpg fetches keys by the most specific ID possible, for V4 keys it uses
the fingerprint.
Are fingerprint collisions so prevalent that they must be protected against?
> It also prevents the accidental import of secret keys through key server
> responses.
That would certainly be more than an accident as no keyserver I know will
store a private key.
This looks like code for code's sake. It's "protecting" against nonproblems.
More code --> more complexity --> more bugs.
--
John P. Clizbe Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or
mailto:pgp-public-keys at gingerbear.net?subject=HELP
Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130915/6b704f11/attachment-0001.sig>
More information about the Gnupg-devel
mailing list