Keyservers mangle with subkey binding sigs

Vlad "SATtva" Miller sattva at pgpru.com
Sat Jan 19 14:38:50 CET 2008


Charly Avital wrote on 19.01.2008 18:26:
> Vlad "SATtva" Miller wrote the following on 1/19/08 6:01 AM:
> [...]
> | Here for example (in the bottom) you may see two subkeys with binding
> | signatures expired at 2007-12-31:
> |
> http://pool.sks-keyservers.net:11371/pks/lookup?search=0x8443620A&op=vindex
> 
> So it is.
> 
> | But if you look at the original copy you'll see that all regenerated
> | sigs are in place:
> | http://www.vladmiller.info/contacts/openpgp.txt
> 
> After importing that keyblock:
[snip]
> [name]$ gpg --edit-key 8443620A
> gpg (GnuPG) 1.4.8; Copyright (C) 2007 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> 
> 
> pub  4096R/8443620A  created: 2006-12-21  expires: never       usage: SC
> ~                     trust: unknown       validity: unknown

.                                           vvvvvvvvvvvvvvvvvvv
> sub  2048R/070E0B73  created: 2006-12-21  expires: 2010-01-01  usage: S
> sub  2048R/7D57ED51  created: 2006-12-21  expires: 2010-01-01  usage: E
.                                           ^^^^^^^^^^^^^^^^^^^

So here's an explicit distinction between what we got from a keyserver
and from the gpg output.

[snip]
> In my system now:
> 
> I have not signed your key

And you should not.

-- 
SATtva | security & privacy consulting
www.vladmiller.info | www.pgpru.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 505 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20080119/a966d944/attachment.pgp>


More information about the Gnupg-users mailing list