* Paul Wise:
In addition to the user expectations issues Andrew mentions, it isn't
too hard to imagine attacks that take advantage of colliding key-ids,
blind key imports by gpg and tools/users that only look at key-ids.
http://www.asheesh.org/note/debian/short-key-ids-are-bad-news
The
On Sun, 2014-08-24 at 16:46 +0200, Florian Weimer wrote:
* Paul Wise:
In addition to the user expectations issues Andrew mentions, it isn't
too hard to imagine attacks that take advantage of colliding key-ids,
blind key imports by gpg and tools/users that only look at key-ids.
On 08/24/2014 07:46 AM, Florian Weimer wrote:
The recommendation to rely on 64 bit key IDs is rather questionable
because V3 keys allow cheap construction of 64-bit key ID duplicates:
http://www.ietf.org/mail-archive/web/openpgp/current/msg00373.html
This is not an issue with 64-bit key IDs,
In addition to the user expectations issues Andrew mentions, it isn't
too hard to imagine attacks that take advantage of colliding key-ids,
blind key imports by gpg and tools/users that only look at key-ids.
http://www.asheesh.org/note/debian/short-key-ids-are-bad-news
--
bye,
pabs
Hi Paul,
tags 725411 + security
This bug has been fixed in GnuPG 1.4.17.
Although it's a good robustness and anti-keyring-polution measure, I don't
think it's an acute security issue in stable that needs to be fixed in a
DSA, because the threat model is unclear to me.
I think it's well
Hi Thijs,
On Fri, 22 Aug 2014 13:41:20 +0200
Thijs Kinkhorst th...@debian.org wrote:
This bug has been fixed in GnuPG 1.4.17.
Although it's a good robustness and anti-keyring-polution measure, I
don't think it's an acute security issue in stable that needs to be
fixed in a DSA, because the
Package: gnupg
Version: 1.4.12-7+deb7u1
Severity: normal
Dear Maintainer,
the current release versions of gnupg (1.4 a swell as 2) blindly import
anything returned from a keyserver; even when requesting a key by its most
specific identifier (full fingerprint), the server is free to return
7 matches
Mail list logo