Daniel Kahn Gillmor writes: > On 08/14/2013 04:35 AM, Stephen J. Turnbull wrote:
> > Python 2.7.5 (default, Aug 1 2013, 23:58:20) > >>>> from gnupg import GPG > >>>> gpg = > >>>> GPG(gnupghome='/Users/steve/.gnupg',keyring='test-pub',secret_keyring='test-sec') > >>>> crypted = gpg.encrypt(u'A bit of random text.', u'step...@xemacs.org', > >>>> always_trust=True) > hmm, always_trust=True is probably problematic Of course it is, but I was working with a test keyring. > -- if someone manages to inject another key with the associated > User ID earlier into gpg's keyring, then their key will be used > before the correct key. This is an argument for validity checks on the keyring. The alternative is keeping the email-to-fingerprint mapping in the User database, which is *not* designed for crypto validation. I see no reason to suppose it's easier to attack the keyring that the User database. > fortunately, in the current implementation we're only worrying about > signing, not encryption; so the relevant issue is the choice of secret > key, and we don't expect other users to be able to inject data into the > secret keyring, so this shouldn't be a concern. right? I don't think it's a major concern, period. True, encryption uses the public key, which may be downloaded from a keyserver or entered from the web, making injection attacks plausible. So what? What's the alternative given that the raison d'etre of Mailman is to give users control over their profiles? Note that I don't deny that there are real security issues here, and that in some contexts they are important. But if they are, I have to wonder if Mailman isn't much too complicated to be trusted anyway. Steve _______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
