Re: (Fwd) Keyservers Cross Site Scripting (When CSS Gets Dangerous)

["Michael Young" <mwy-pks55 () the-youngs org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

From: "Stefan Kelm" <kelm () secorvo de>
> This is of particular danger when it comes to keyservers, since the key
> information itself is usually considered as highly trustworthy.

Absolutely not.  Keyservers are wide open public repositories.  They
can, and do, contain arbitrary garbage.  Users should only trust
material that they can verify through signatures or direct contact.

Moreover, clients should only be generating well-formed URLs
for key lookups.  What am I missing?

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQA/AwUBPMRMGVMkvpTT8vCGEQKSRQCgi3Uvj/w4wAtFsBzM0Yt+CglxTj0AoNCj
vADEMPSTqze3uqdKfLUp3JyT
=IXGp
-----END PGP SIGNATURE-----