Keyserver rejection filter and signing subkeys

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Wed Jul 30 11:00:08 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 07/30/2014 10:22 AM, Werner Koch wrote:
> On Tue, 29 Jul 2014 20:11,
> kristian.fiskerstrand at sumptuouscapital.com said:
> 
>> Is this something that should be considered a regression, or do
>> we simply mark it as per design and that the primary key ID
>> should always
> 
> Yes, that is a regression.  It would also render the
> --auto-key-retrieve option useless if a signing subkey has been
> used.
> 
> To fix that we need to pass the keyblock and not just the key to
> the filter function.  However this partly defeats the purpose of
> the filter if a a faked subkey has been attached to a key and
> uploaded to the keyserver.  As long as the keyserver does not
> verify the key binding you would import a foreign key while
> verifying a signature done with the faked subkey.

Indeed, and the purpose of the filter is partly to protect against
mallicious keyservers, so even if the "good" keyservers implements
this[1]  it can't be trusted.

...

> 
> Technically the printing of the fingerprint is not done by the
> signature verification part.  If we want to make that the default
> we I would suggest to have something like this:

That looks good indeed

> 
> gpg: Signature made Wed Jul 30 10:08:40 2014 CEST using DSA key ID
> 77F95F95 gpg: Primary key fingerprint: 8061 5870 F5BA D690 3336
> 86D0 F2AD 85AC 1E42 B367 gpg:      Subkey fingerprint: E4B8 68C8
> F90C 8964 B5AF  9DBC 4F05 40D5 77F9 5F95

> the line will be too long, though.  Reformatting that for 2.1 ?

How about breaking the fprs over two lines? as long as they are
stacked up properly it'd look good still.


Endnotes:
[1] not likely for SKS at least as it currently does no signature
verification and the performance hit could be quite large
- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Ad astra per aspera
To the stars through thorns
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJT2LQUAAoJEPw7F94F4TagW1MQAJmsR7UiwT85pCVQErZg58qU
fUUm3MD327/4oD2bE0Z5ki9TmfGy+iKZMagQ7A3QGbXELVaJzSM6AI4RaCUmHp8g
sFWVmLS2z+kDeuaTOMzzybMRqZFXg+rlbA/H2DoMItXjqoSUA1Lzi7xypzB4WB6H
mAX5qZWZ/SKoPzGtzEFZdgyDUSKgl765BK+3GqwlX90lKGHDuwK38bQLof/N3zeb
qhA+ORuhcR6K/7SAOm7fQwIAUwmUflP+CiVs+CAeToMNQQFhZJHTnKsr5+aSjnK0
ol8OKHJWE/Vlfi2ANOskCkuA+Eq+axX5U0ZE3UWyaseXB0ia7pdHkIkgffDGq7g1
3O7ykZYe8pekcyiKkA7NPkYDaBqbp17yU5tzyZFZVniAUAq6eoSm1IoRoN0JI+Q9
tPd39j78RYwwz+HnCgh378hehuFNoibm4T2LQ6Y3t9kmDwX/r0v1UcHD0WWBqvTq
sdPj7BaYw52OU4AVi3Pmae45v2b3ZhGGhWQVjqFCSFGhVDg6ztSl6D0PlmOzVrK+
5/hRQ/Ay36XCYkN9SaMQg+QSheHqNIVkKHuKbjZz+4fWPpBxBaackuuQ/2np/gvi
O+0kUFqtDVMyHO6xMoU/rIQoDXOjMsALkEPuHDK5EhChHkLDGYpj07dtowGOVDGu
iJrqSj/9ipUJtHimIhd2
=+Tms
-----END PGP SIGNATURE-----

More information about the Gnupg-devel mailing list