Houston, we have a problem

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Fri Sep 22 21:40:41 CEST 2017


On 09/22/2017 09:34 PM, Stefan Claas wrote:
>>> O.k. i just tested a bit and this is a bug int the Web Interface
>>> and in GnuPG's CLI Interface.   
>> I don't see a bug here.
> Now i am a bit confused... Then maybe a "funny" design flaw? I mean
> what should users unfamiliar with the whole WoT procedure may
> think when seeing a fake "sig3" (which they may not spot) and then
> clicking on the key-id in question, which then links to the original
> key?
> 

No, its not a design flaw, it is valid design. OpenPGP keyblock
information is based on an object based security model where packets are
added, but don't carry any meaning until the signature has been
verified. The public keyserver network is by design not a trusted third
party, and can not be, so keyblock needs to be imported using a local
client at which point invalid data, including invalid signatures,
results in discarding of the data, which would filter out the signature
in this case.

So all is as it is supposed to be

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"By three methods we may learn wisdom: First, by reflection, which is
noblest; Second, by imitation, which is easiest; and third by
experience, which is the bitterest."
(Confucius)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170922/08cc7542/attachment.sig>


More information about the Gnupg-users mailing list