German ct magazine postulates death of pgp encryption
Marco Zehe
marcozehe-ml at mailbox.org
Sun Mar 1 18:01:05 CET 2015
Hi Kristian,
> Am 01.03.2015 um 17:54 schrieb Kristian Fiskerstrand <kristian.fiskerstrand at sumptuouscapital.com>:
>
> Since the author's first reaction was closing it WONTFIX I didn't
> bother, with that kind of behavior they can't possibly take security
> seriously.
Error in judgement that has since been corrected. These things sometimes happen, but this should definitely not be generalized.
>
>
> The proper solution seems to be a re-implementation of the system to
> use gpgme for encryption. I'm also worried about the system's key
> management in the case of
> (i) revocations; as I'm not aware of any key refreshes being made,
> meaning a revocation certificate uploaded to public keyserver network
> would not be honored and still constitute information leak.
Yes, the public key doesn’t come from a key server in the first place, but needs to be copy and pasted into a standard HTML textarea while filling in the form for that Securemail extension. So it is the key owner’s responsibility to keep it up to date. As far as I know, there is no interaction with any outside source in this matter.
>
> (ii) Ditto for the issue of replacing the subkeys, as key rotation
> would not be automatically taken into consideration and would have to
> be uploaded manually to each bugzilla implementation using that flawed
> piece of software (the securemail extension, not bugzilla itself).
Yes, these instances are all acting independently, there is no exchange between totally unrelated Bugzilla instances.
Marco
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20150301/d3127ee9/attachment.sig>
More information about the Gnupg-users
mailing list