[PATCH 3/3 v2] filter and verify keyserver responses

John Clizbe John at enigmail.net
Mon Sep 16 00:20:29 CEST 2013

Stefan Tomanek wrote:
> This changes introduces import functions that apply a constraining
> filter to imported keys. These filters can verify the fingerprints of
> the keys returned before importing them into the keyring, ensuring that
> the keys fetched from the keyserver are in fact those selected by the
> user beforehand.

IIRC, gpg fetches keys by the most specific ID possible, for V4 keys it uses
the fingerprint.

Are fingerprint collisions so prevalent that they must be protected against?

> It also prevents the accidental import of secret keys through key server
> responses.

That would certainly be more than an accident as no keyserver I know will
store a private key.

This looks like code for code's sake. It's "protecting" against nonproblems.
More code --> more complexity --> more bugs.

John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130915/6b704f11/attachment-0001.sig>

More information about the Gnupg-devel mailing list