[Announce] new gnupg snapshot

Florian Weimer fw@deneb.enyo.de
Sat Apr 7 00:45:04 2001

Andrew McDonald <andrew@mcdonald.org.uk> writes:

> On Fri, Apr 06, 2001 at 07:40:48PM +0200, Johan Wevers wrote:
> > Werner Koch wrote:
> >
> > > * Secret keys are no longer imported unless you use the new option
> > > --allow-secret-key-import.
> >
> > Why is that? What was the problem with importing secret keys?
> IIRC, if you have a secret key it is ultimately trusted by default.
> Persuading you to import a secret key could, therefore, subvert your
> web of trust.
Exactly, and every key server or network operator could attach such a secret key to a response for a request, so this is a real problem. This might a new threat in conjunction with the Klima/Rosa attack (i.e. no write access to the key ring is required), but I didn't check the GnuPG behavior if a modified version of a secret key already present in the secret key ring is encountered.