On 09/22/2017 09:34 PM, Stefan Claas wrote: >>> O.k. i just tested a bit and this is a bug int the Web Interface >>> and in GnuPG's CLI Interface. >> I don't see a bug here. > Now i am a bit confused... Then maybe a "funny" design flaw? I mean > what should users unfamiliar with the whole WoT procedure may > think when seeing a fake "sig3" (which they may not spot) and then > clicking on the key-id in question, which then links to the original > key? >
No, its not a design flaw, it is valid design. OpenPGP keyblock information is based on an object based security model where packets are added, but don't carry any meaning until the signature has been verified. The public keyserver network is by design not a trusted third party, and can not be, so keyblock needs to be imported using a local client at which point invalid data, including invalid signatures, results in discarding of the data, which would filter out the signature in this case. So all is as it is supposed to be -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- "By three methods we may learn wisdom: First, by reflection, which is noblest; Second, by imitation, which is easiest; and third by experience, which is the bitterest." (Confucius)
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
