Import a pubkey sans self-sig?
Yenot
yenot@sec.to
Tue Apr 8 20:25:01 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tuesday 08 April 2003 01:14 am, David Shaw wrote:
> On Mon, Apr 07, 2003 at 03:59:03PM -0400, gabriel rosenkoetter wrote:
> > I'd like to encipher things to keyid 75E4988D (seems to be on
> > wwwkeys.pgp.net)... but GnuPG simply refuses to import it because
> > it's lacking a self-signature.
> >
> > pgp 6.5.2 (yeah, I know, but this is a long-standing production
> > process at work that I'm trying to update) has no trouble with this
> > key.
> >
> > --expert doesn't help and we don't have a --force...
>
> --allow-non-selfsigned-uid
I was shocked that non-self-signed UID's were allowed at all.
The only reason I can think of for such a UID, would be to
annotate a local key that you don't own. (Just as local
signatures are used for localized key annotation.) I decided
to run some tests. Others may be interested in the results:
GnuPG 1.2.1
- -----------
gpg --import key.asc
This command *silently* ignores unsigned UID's.
gpg --import --allow-non-selfsigned-uid key.asc
This command imports unsigned UID's, but warns the user about
the unsigned UID's.
gpg -o key.asc --export test@test.com
This command exports *all* UID's. No warning is given about
the unsigned UID's.
PGP 8.02
- --------
Imports and exports unsigned UID's. Unsigned UID's are annotated
as being *revoked*. ldap://keyserver.pgp.com also accepts unsigned
UID's. This means one could [for example] add porn site
advertisements and humorous but annoying photo UID's to an enemy's
key. ... advertisements are probably only a matter of time if
the problem isn't fixed.
- Yenot
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+krxQP247TY29IxARAvuGAKCS0y1QXELN31uhmhzclmIEaLU+PgCgnLVK
Ed0FhHSUadI2ALgXA+4Xrbg=
=MM0r
-----END PGP SIGNATURE-----