SKS and GnuPG related issues and possible workarounds

Werner Koch wk at gnupg.org
Wed Jul 3 11:58:15 CEST 2019 

On Wed,  3 Jul 2019 05:06, rjh at sixdemonbag.org said:

> As I understand it the current list of targeted keys is myself, dkg,
> Werner, Patrick, and Kristian.  It is clear the attacker's goal is to

I am not yet affected except for these few thousand old xmas fun
signatures.

> Werner will no doubt be updating GpgOL as well.

I am sorting out some other bugs and hope to get a release out next
week.  I tend to make

  --keyserver-options self-sigs-only

the default to avoid importing possible crap from the keyservers.
no-self-sigs-only should allow to revert for those who still want to
receive updates from the anyway overloaded keyservers.  A command to
clean affected keys would also be useful but it might be better to get a
new release out early than to implement a feature which needs quite some
time taking testing. (https://dev/gnupg.org/T4591)

What we can also do is to remove the default keyserver feature we
introduced with 2.2.  This means that anyone who wants to use a
keyserver needs to pick one and not rely on defaults.

The other thing I have in mind to actually add to 2.2 is to re-purpose
--search-keys to update from WKD or DANE instead looking up at the
keyservers. (T4599)


> of OpenPGP is to verify package signatures; for the small fraction that
> use it for email, Enigmail is the most dominant choice, with GpgOL a

Frankly, I doubt that given the many users of Gpg4win compared to those
of Linux desktops.  But this is a different topic.

> The real damage is going to be to people's workflows.  A whole lot of
> people are going to be impacted by these fixes and we can expect to need

Actually not being able to fetch a key from the keyservers can improve
security or at least avoid problems sending mails encrypted to the wrong
key.  (see my comment above on --search-keys).


Shalom-Salam,

   Werner


p.s.
Why can't we have such problems at times when it is cold and rainy and
you can anyway only sit at your desk ;-).

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190703/388184ea/attachment.sig>

More information about the Gnupg-users mailing list