choosing an encryption target from a User ID

Ingo Klöcker kloecker at kde.org
Fri Oct 2 21:12:36 CEST 2009


On Thursday 01 October 2009, Daniel Kahn Gillmor wrote:
> On 09/30/2009 05:32 PM, Ingo Klöcker wrote:
> > Hmm, AFAIU, for someone who does not blindly certify such keys this
> > shouldn't be a problem since those malicious keys wouldn't be valid
> > and thus wouldn't take preference over a valid key ... unless
> > somebody else this person trusts is trying to screw them.
>
> The current gpg behavior is to use the first key with a matching User
> ID, regardless of the validity of that User ID.  So this causes (at
> best) warnings and alerts about using an invalid key or (at worst)
> lets someone with marginal ownertrust abuse the user by taking
> precedence over a fully-trusted certification if the keyring happens
> to be ordered in a certain way.

Indeed. That's a weird policy.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20091002/34240761/attachment.pgp>


More information about the Gnupg-users mailing list