German ct magazine postulates death of pgp encryption

[Marco Zehe]

Hi Kristian,

> Am 01.03.2015 um 17:54 schrieb Kristian Fiskerstrand <kristian.fiskerstrand at sumptuouscapital.com>:
> 
> Since the author's first reaction was closing it WONTFIX I didn't
> bother, with that kind of behavior they can't possibly take security
> seriously.

Error in judgement that has since been corrected. These things sometimes happen, but this should definitely not be generalized.

> 
> 
> The proper solution seems to be a re-implementation of the system to
> use gpgme for encryption. I'm also worried about the system's key
> management in the case of
> 	(i) revocations; as I'm not aware of any key refreshes being made,
> meaning a revocation certificate uploaded to public keyserver network
> would not be honored and still constitute information leak.
Yes, the public key doesn’t come from a key server in the first place, but needs to be copy and pasted into a standard HTML textarea while filling in the form for that Securemail extension. So it is the key owner’s responsibility to keep it up to date. As far as I know, there is no interaction with any outside source in this matter.


> 
> 	(ii) Ditto for the issue of replacing the subkeys, as key rotation
> would not be automatically taken into consideration and would have to
> be uploaded manually to each bugzilla implementation using that flawed
> piece of software (the securemail extension, not bugzilla itself).

Yes, these instances are all acting independently, there is no exchange between totally unrelated Bugzilla instances.

Marco

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20150301/d3127ee9/attachment.sig>