reasons for needing --allow-secret-key-import?
Ingo Klöcker
ingo.kloecker@epost.de
Sat Feb 23 01:12:02 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday 22 February 2002 20:35, Frank Tobin wrote:
> I'm curious as to why the --allow-secret-key-import option is needed.
> From what I can tell, could only be a problem if imported secret keys
> were automatically trusted (which would be bad), and would as such
> indicate a problem in GnuPG. Importing untrusted secret keys should
> not be an issue.
AFAIK secret keys are always ultimately trusted. Therefore someone could
include a secret key with a public key packet he sends you and trick
you to import his secret key. This will your GnuPG ultimately trust the
public key corresponding to his secret key.
Regards,
Ingo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8dt4BGnR+RTDgudgRAoJkAJwNDOrWODU3KNK4WQXBfCN2xAUXpwCgxslG
JfP2suct8pEAsGe9LRoNVSk=
=XfcH
-----END PGP SIGNATURE-----