Control: forwarded 930665 https://dev.gnupg.org/T4393 Control: severity 930665 important Control: tags 930665 + confirmed
Hi Vincent-- On Tue 2019-06-18 01:04:02 +0200, Vincent Breitmoser wrote: > in the current version of GnuPG, signatures will be imported from public key > blocks only if they are accompanied by a UserID packet plus valid signature. > However, self-signatures on the key itself and on subkeys can be > cryptographically verified, independently of user ids. This opens a use case > of > transferring revocations and updates on subkeys, without revealing the key's > user ids. thanks for this report. I think GnuPG's inability to receive these kinds of cryptographic updates to OpenPGP certificates that it knows about is at core a security risk (it makes it more likely that users will use a revoked key; or will be unable to use any key at all, and will send plaintext). This risk is exacerbated by the ongoing failure of the traditional keyserver network due to abuse, which is what newer keyservers like keys.openpgp.org aim to withstand. I've backported these changes to the 2.2.x branch, and am considering applying them to the debian packaging for GnuPG so that debian users are defended against these risks. I'm hoping for more meaningful feedback from upstream on the associated upstream bug report. --dkg
signature.asc
Description: PGP signature