stefan.claas at posteo.de
Fri Jun 30 20:01:50 CEST 2017
On Fri, 30 Jun 2017 18:38:45 +0200, Peter Lebbing wrote:
> Somebody could put their own public key in your keyring, assign that
> Ultimate trust, and then certify another public key they wish to pop
> up as valid. Ultimately trusted keys make other keys valid by their
> certification. There is no way to see any difference between a key
> that is fully valid because your own ultimately trusted key signed it
> or because the attackers ultimately trusted key signed it. And since
> the ultimately trusted key of the attacker isn't the one doing data
> signatures, your "alternative colour" will not trigger.
Correct. But what i mean was an attacker would replace on of my pub
keys (which i signed) with one he/she only replaced with one that
has only the Trust Level set to Ultimate, resulting in both keys
showing up with a green bar.
According to (i'm no programmer) RFC 4880 OpenPGP Message Format:
22.214.171.124. Trust Signature Page 30
5.10. Trust Packet (Tag 12) Page 47
Those are imho two different things and therefore should not be
handled with the same color output.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 488 bytes
Desc: Digitale Signatur von OpenPGP
More information about the Gnupg-users