Keyserver rejection filter and signing subkeys
Werner Koch
wk at gnupg.org
Wed Jul 30 14:43:22 CEST 2014
On Wed, 30 Jul 2014 11:00, kristian.fiskerstrand at sumptuouscapital.com
said:
>> verify the key binding you would import a foreign key while
>> verifying a signature done with the faked subkey.
>
> Indeed, and the purpose of the filter is partly to protect against
> mallicious keyservers, so even if the "good" keyservers implements
> this[1] it can't be trusted.
Actually this is not a problem because gpg won't import that subkey due
to the missing key binding.
>> gpg: Signature made Wed Jul 30 10:08:40 2014 CEST using DSA key ID
>> 77F95F95 gpg: Primary key fingerprint: 8061 5870 F5BA D690 3336
>> 86D0 F2AD 85AC 1E42 B367 gpg: Subkey fingerprint: E4B8 68C8
>> F90C 8964 B5AF 9DBC 4F05 40D5 77F9 5F95
>
>> the line will be too long, though. Reformatting that for 2.1 ?
>
> How about breaking the fprs over two lines? as long as they are
> stacked up properly it'd look good still.
Not good because c+p won't work. Note that since some time gpg accepts
a standard formatted fingerprint thus tehre is no need to remove the
spaces.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-devel
mailing list