Keyserver rejection filter and signing subkeys

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Wed Jul 30 14:52:35 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 07/30/2014 02:43 PM, Werner Koch wrote:
> On Wed, 30 Jul 2014 11:00,
> kristian.fiskerstrand at sumptuouscapital.com said:
> 
>>> verify the key binding you would import a foreign key while 
>>> verifying a signature done with the faked subkey.
>> 
>> Indeed, and the purpose of the filter is partly to protect
>> against mallicious keyservers, so even if the "good" keyservers
>> implements this[1]  it can't be trusted.
> 
> Actually this is not a problem because gpg won't import that subkey
> due to the missing key binding.
> 
>>> gpg: Signature made Wed Jul 30 10:08:40 2014 CEST using DSA key
>>> ID 77F95F95 gpg: Primary key fingerprint: 8061 5870 F5BA D690
>>> 3336 86D0 F2AD 85AC 1E42 B367 gpg:      Subkey fingerprint:
>>> E4B8 68C8 F90C 8964 B5AF  9DBC 4F05 40D5 77F9 5F95
>> 
>>> the line will be too long, though.  Reformatting that for 2.1
>>> ?
>> 
>> How about breaking the fprs over two lines? as long as they are 
>> stacked up properly it'd look good still.
> 
> Not good because c+p won't work.  Note that since some time gpg
> accepts a standard formatted fingerprint thus tehre is no need to
> remove the spaces.

I was thinking more along the lines of

  $ gpg --verify --with-fingerprint foo
  gpg: Signature made Wed Jul 30 10:08:40 2014 CEST using DSA key ID
77F95F95
  gpg: Primary key fingerprint:
  gpg:         8061 5870 F5BA D690 3336  86D0 F2AD 85AC 1E42 B367
  gpg: Subkey fingerprint:
  gpg:         E4B8 68C8 F90C 8964 B5AF  9DBC 4F05 40D5 77F9 5F95
  gpg: Good signature from "Werner Koch <wk at gnupg.org>"
  gpg:                 aka "Werner Koch <wk at g10code.com>"
  gpg:                 aka "Werner Koch <werner  at eifzilla>"


- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Ad astra per aspera
To the stars through thorns
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJT2OqTAAoJEPw7F94F4TagDjsQAJv1NZEPeKMQrznRoRYYvgjM
1jO3tA/8iqFvOjNvMFIo0/DLt+oiuCsmx8X4B0vPuEsrQF8P5l4oTOMjAm+Ig0Tv
KD4SBaBXcPw8bllTsA5YDW41kgTjOIvuJ6/p/eUFeB/H2Xv91EdMq/tGSTdn2Zrn
EmuZrVZ1BDdf0f3h1TwwItB0y21Pc8NXeOAbEFXTR/xmHzgSuuOTwbpCL9jezULu
d/71NMiiz4KTQcGLn8dpPNBoMq+PECKgL2VAsRyrfBjTy7oczbXsB1NabEWbdrtP
gD6mWDPevzVND+jVi2JQEwPBoWL90pO6a/T+KxFgQY7YzGiPfgrUJN4mZjIdgY3H
oHR3Xak4I7N+hKbDIta7GIWiJT5G5HkYYVhWr1h2GRqMbCnWK0BuK7jl1NmxNaKS
2me32sTdbcAXDqFuTicy0nlvDaSOvM+SEyfp6HL0HoajxRCG1ba0j+f0T+IGffjf
tpd+uF9O9zN/VpZp8vccCyGQjmf6AsZl1hl4rTxex18L2KRDCmUXJeuv3L7Uf8VV
C8JLtRJMpx6w2+xJDZ5Cyz72VE92pBh325rO4J8ycAtO1GSAJLToWRbWk2J9TGDP
mPW2gr7J4qHmG3OyVzU6VrrvetcZCciBva4lhmOnYU30NAgKlYoabY2Qlw+v8OdQ
+muHcAFCG5xxf7+SRKBU
=LQAk
-----END PGP SIGNATURE-----

More information about the Gnupg-devel mailing list