oss-sec mailing list archives

Re: gpg blindly imports keys from keyserver responses

From: mancha <mancha1 () zoho com>
Date: Mon, 1 Sep 2014 20:16:36 +0000

On Mon, Sep 01, 2014 at 10:05:11PM +0200, Kristian Fiskerstrand wrote:

On 09/01/2014 09:43 PM, mancha wrote:

On Mon, Sep 01, 2014 at 08:41:10PM +0200, Kristian Fiskerstrand
wrote:


My personal opinion is this is expected behavior as the
keyservers are not trusted, and as you point out above, there are
proper measures that should be used that invalidate this as an
attack vector, i.e. by performing proper key verification.


Hi.

Isn't it the opposite? Were key servers fully trusted I'd agree 
"expected behavior" would be to blindly import the server's reply.

However, the lack of trustworthiness of keyservers is precisely why
the check is relevant.


I'd consider it security hardening and not a vulnerability.


I wasn't weighing in on whether the change be considered a vulnerability
fix or a hardening feature (which are usually deemed CVE unworthy).

My objection was to the characterization as "expected behavior".

--mancha

Attachment: _bin
Description:

Current thread:

gpg blindly imports keys from keyserver responses Thijs Kinkhorst (Sep 01)
- Re: gpg blindly imports keys from keyserver responses Kristian Fiskerstrand (Sep 01)
  - Re: gpg blindly imports keys from keyserver responses mancha (Sep 01)
    - Re: gpg blindly imports keys from keyserver responses Kristian Fiskerstrand (Sep 01)
    - Re: gpg blindly imports keys from keyserver responses mancha (Sep 01)
  - Re: gpg blindly imports keys from keyserver responses Werner Koch (Sep 01)
- Re: gpg blindly imports keys from keyserver responses Daniel Kahn Gillmor (Sep 01)