German ct magazine postulates death of pgp encryption

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Sun Mar 1 17:54:14 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 03/01/2015 05:45 PM, Marco Zehe wrote:
> Hi Kristian,
> 
>> Am 01.03.2015 um 17:36 schrieb Kristian Fiskerstrand 
>> <kristian.fiskerstrand at sumptuouscapital.com>:
>> 
>> Seriously? Please look at 
>> https://bugzilla.mozilla.org/show_bug.cgi?id=790487regarding that
>>  implementation, which opens up another can of worms (encrypts
>> to {S,C} key, not encryption key, dual usage of same key material
>> for different purposes... BAD)
> 
> Do you have any insight to share in that bug that might help my 
> colleagues move fixing it forward? I’m sure it would be highly 
> appreciated! :)
> 

Since the author's first reaction was closing it WONTFIX I didn't
bother, with that kind of behavior they can't possibly take security
seriously.

The proper solution seems to be a re-implementation of the system to
use gpgme for encryption. I'm also worried about the system's key
management in the case of
	(i) revocations; as I'm not aware of any key refreshes being made,
meaning a revocation certificate uploaded to public keyserver network
would not be honored and still constitute information leak.
	(ii) Ditto for the issue of replacing the subkeys, as key rotation
would not be automatically taken into consideration and would have to
be uploaded manually to each bugzilla implementation using that flawed
piece of software (the securemail extension, not bugzilla itself).

- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Timendi causa est nescire
The cause of fear is ignorance
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJU80QyAAoJEP7VAChXwav6NLcH/2mkfs2MRRHhSc1ZcEVWstJ5
0ZDSGVHUDsAFqUGxXyxbOj+nc1yrZBlQCxFhd3dogtIMYUDkCckEDEIahT029jsL
dJ3GvXjf3ZdKKCsIl+MTypr1ToyMJ0r0DpTv90XxdX97svdc7VUi5wIMdNiL3mbV
dLbUXt8e1qTt1Y9ie08vhGVmSP3IesSztLlWkxyIPL7NFDNqMwTUCk/RAZx4qwpT
Ore/QxzBYlBrauYJpyUrNhKX6atF1GmCT8w0AKI1E55TUJSDmadOzt8T4rGYRkD0
Hz3OWjdGsUETjDy0JFbwnky1a+RBKXqrEtmHmFw+5dE6IiqEXKe+hBrTRlMqQUQ=
=g23o
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list