Serious Key selection bug in 1.0.4

Nicholas Cole nicholas.cole@university-college.oxford.ac.uk
Wed Feb 7 19:38:13 2001


I have already submitted this bug in the Correct Place(TM):

http://bugs.guug.de/Bugs/db/42/427.html

However, I wondered if any on the list could propose a patch to solve the
problem, or indeed a workaround.  For full details see the link, but the
basic point is that under conditions where more than one key contains the
email address of the intended recipient (e.g. if new keys are generated each
year), gpg will select the wrong key to encrypt to if the recipient is
specified by email address or name (as opposed to numeric key id or
fingerprint, which are different).

No warning will be given, and the older key will be selected even if
disabled and expired.  Under certain circumstances, this could represent a
security risk.

Deleting the older key is one option, but that would make verifying older
signatures impossible.

--Nicholas