Keyserver rejection filter and signing subkeys

Werner Koch wk at gnupg.org
Wed Jul 30 14:43:22 CEST 2014


On Wed, 30 Jul 2014 11:00, kristian.fiskerstrand at sumptuouscapital.com
said:

>> verify the key binding you would import a foreign key while
>> verifying a signature done with the faked subkey.
>
> Indeed, and the purpose of the filter is partly to protect against
> mallicious keyservers, so even if the "good" keyservers implements
> this[1]  it can't be trusted.

Actually this is not a problem because gpg won't import that subkey due
to the missing key binding.

>> gpg: Signature made Wed Jul 30 10:08:40 2014 CEST using DSA key ID
>> 77F95F95 gpg: Primary key fingerprint: 8061 5870 F5BA D690 3336
>> 86D0 F2AD 85AC 1E42 B367 gpg:      Subkey fingerprint: E4B8 68C8
>> F90C 8964 B5AF  9DBC 4F05 40D5 77F9 5F95
>
>> the line will be too long, though.  Reformatting that for 2.1 ?
>
> How about breaking the fprs over two lines? as long as they are
> stacked up properly it'd look good still.

Not good because c+p won't work.  Note that since some time gpg accepts
a standard formatted fingerprint thus tehre is no need to remove the
spaces.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-devel mailing list