> How bad could this get? (I am sputteringly angry over this entire thing: please understand this and give a charitable read to what I write. I appreciate it.)
Hard to say. One of the big problems we have is the size of the existing codebase. Once people have GnuPG installed people overwhelmingly like to leave it alone. We still get people coming onto this list asking for support with GnuPG *1.2*. So for these installations, these "we're going to install it and forget it"s? They're screwed. Sooner or later they'll import a poisoned certificate, GnuPG will get wedged, and it will appear as if GnuPG just stopped working. It might happen tomorrow or it might happen in five years. We don't know, but it will happen. There are other groups that run human networks in dangerous places. (There are many of them: Medicins Sans Frontiers, Reuters, and more.) The people who are running around Syria treating casualties or doing political news reporting from Gaza are overwhelmingly not computer nerds. They know they're supposed to run "gpg --refresh-keys" from time to time to get the latest revocations. They do it this time, and GnuPG breaks horribly. Odds are good they'll say "sod this, I can't trust this crap" and throw it away. There are a ton of tiny little poorly-maintained systems in out-of-the-way places that get completely overlooked until things break. Those, too, have good odds of getting wedged the first time they encounter a poisoned certificate. The next version of Enigmail will no longer use the SKS network by default. Great! But what about existing Enigmail users? They'll see a signature, click "Import Key", and ... bam. They're likely not going to think that someone's performing a malicious attack by poisoning certificates: they're going to think "this is crap" and walk away. Right now only three certificates are known to be affected: mine, dkg's, and Kristian's. I expect that number to rise, either due to the original jerk figuring this is fun, or due to copycats getting in on the action. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users