[PATCH 5/5] gpg: Fix regexp sanitization.

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Jul 21 20:51:27 CEST 2017


On Wed 2017-07-19 15:45:35 +0200, Neal H. Walfield wrote:
> I think it is worth exploring what the implications of any change in
> behavior are.  A good start would be finding all trust sigs with a
> non-empty regex in a key server dump so that we can see how people are
> actually using them in practice.  (I suspect there aren't that many.)

trust sigs are likely to be non-exportable, or simply made on systems
that don't publish their tsigs anywhere anyway.  There are very few good
arguments for publicly exposing tsig information, as that is
significantly more sensitive than normal WoT identity assertions.

That suggests that just looking at tsigs on the keyserver network will
be an undercount, and potentially a significant undercount at that :/

unfortunately, i don't have any specific recommendation to improve
scanning or detection :(

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170721/13f53a5b/attachment.sig>


More information about the Gnupg-devel mailing list