[PATCH] Disable importing V3 public keys from keyservers

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Oct 10 16:25:20 CEST 2014


On 10/10/2014 10:10 AM, David Leon Gil wrote:
> Yes; V3 keys with V3 signatures get a warning / don't work. Have you
> tried this with a V3 key with a *V4* signature?
> 
> Here's Ben Laurie's key. Results of gpg2 --import:
> 
> gpg: pub  4090R/0x1B080C452719AF35 2013-08-05  Ben Laurie <ben at links.org>
> gpg: using PGP trust model
> gpg: key 0x1B080C452719AF35: public key "Ben Laurie <ben at links.org>" imported
> gpg: Total number processed: 1
> gpg:               imported: 1  (RSA: 1)

sorry, i hadn't tested this part, and you're quite right.  I agree that
we should reject v3 keys on import entirely.

Just blocking MD5 is insufficient, and gpg 2.1 does successfully import
your demonstration key.

	--dkg

PS if Ben Laurie is reading this, sorry that you got used as an example!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20141010/e8bfa7e8/attachment.sig>


More information about the Gnupg-devel mailing list