Houston, we have a problem
Stefan Claas
stefan.claas at posteo.de
Fri Sep 22 22:08:15 CEST 2017
On Fri, 22 Sep 2017 21:40:41 +0200, Kristian Fiskerstrand wrote:
> On 09/22/2017 09:34 PM, Stefan Claas wrote:
> >>> O.k. i just tested a bit and this is a bug int the Web Interface
> >>> and in GnuPG's CLI Interface.
> >> I don't see a bug here.
> > Now i am a bit confused... Then maybe a "funny" design flaw? I mean
> > what should users unfamiliar with the whole WoT procedure may
> > think when seeing a fake "sig3" (which they may not spot) and then
> > clicking on the key-id in question, which then links to the original
> > key?
> >
>
> No, its not a design flaw, it is valid design. OpenPGP keyblock
> information is based on an object based security model where packets
> are added, but don't carry any meaning until the signature has been
> verified. The public keyserver network is by design not a trusted
> third party, and can not be, so keyblock needs to be imported using a
> local client at which point invalid data, including invalid
> signatures, results in discarding of the data, which would filter out
> the signature in this case.
>
> So all is as it is supposed to be
Thanks for the information! Can you tell me please how to import
a pub key with a local client, so that invalid data get's removed
automatically? When doing a gpg --receive-key key-id the fake data
is not removed.
Regards
Stefan
--
https://www.behance.net/futagoza
https://keybase.io/stefan_claas
More information about the Gnupg-users
mailing list