German ct magazine postulates death of pgp encryption
marcozehe-ml at mailbox.org
Sun Mar 1 18:01:05 CET 2015
> Am 01.03.2015 um 17:54 schrieb Kristian Fiskerstrand <kristian.fiskerstrand at sumptuouscapital.com>:
> Since the author's first reaction was closing it WONTFIX I didn't
> bother, with that kind of behavior they can't possibly take security
Error in judgement that has since been corrected. These things sometimes happen, but this should definitely not be generalized.
> The proper solution seems to be a re-implementation of the system to
> use gpgme for encryption. I'm also worried about the system's key
> management in the case of
> (i) revocations; as I'm not aware of any key refreshes being made,
> meaning a revocation certificate uploaded to public keyserver network
> would not be honored and still constitute information leak.
Yes, the public key doesn’t come from a key server in the first place, but needs to be copy and pasted into a standard HTML textarea while filling in the form for that Securemail extension. So it is the key owner’s responsibility to keep it up to date. As far as I know, there is no interaction with any outside source in this matter.
> (ii) Ditto for the issue of replacing the subkeys, as key rotation
> would not be automatically taken into consideration and would have to
> be uploaded manually to each bugzilla implementation using that flawed
> piece of software (the securemail extension, not bugzilla itself).
Yes, these instances are all acting independently, there is no exchange between totally unrelated Bugzilla instances.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Gnupg-users