Hi Kristian, > Am 01.03.2015 um 17:54 schrieb Kristian Fiskerstrand > <kristian.fiskerstr...@sumptuouscapital.com>: > > Since the author's first reaction was closing it WONTFIX I didn't > bother, with that kind of behavior they can't possibly take security > seriously.
Error in judgement that has since been corrected. These things sometimes happen, but this should definitely not be generalized. > > > The proper solution seems to be a re-implementation of the system to > use gpgme for encryption. I'm also worried about the system's key > management in the case of > (i) revocations; as I'm not aware of any key refreshes being made, > meaning a revocation certificate uploaded to public keyserver network > would not be honored and still constitute information leak. Yes, the public key doesn’t come from a key server in the first place, but needs to be copy and pasted into a standard HTML textarea while filling in the form for that Securemail extension. So it is the key owner’s responsibility to keep it up to date. As far as I know, there is no interaction with any outside source in this matter. > > (ii) Ditto for the issue of replacing the subkeys, as key rotation > would not be automatically taken into consideration and would have to > be uploaded manually to each bugzilla implementation using that flawed > piece of software (the securemail extension, not bugzilla itself). Yes, these instances are all acting independently, there is no exchange between totally unrelated Bugzilla instances. Marco
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
