[PATCH 3/3 v2] filter and verify keyserver responses

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Sep 16 06:50:41 CEST 2013

Hi Stefan--

Thanks for your work on this.  I agree with you that client-side OpenPGP
implementations that pull data from keyservers should filter not just
for syntax but also for whether the received data matches the data

On 09/15/2013 11:29 PM, Stefan Tomanek wrote:

> Please, it doesn't matter if we encounter an "accident" or malicious behaviour:
> If I issue a command like "gpg --refreshkeys", I don't expect any new keys to be
> added to my keyring,

If you mean "any new primary keys", then i agree with this sentiment.
However, i would expect GnuPG to add new subkeys to my keyring if the
new subkeys are properly bound to the primary keys.

That is, it's possible for your keyring to gain new keys (with new
fingerprints) during a refresh; it's just that those keys are subkeys
attached to pre-existing primary keys.  right?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130916/edd69ccd/attachment.sig>

More information about the Gnupg-devel mailing list