Daniel Kahn Gillmor wrote: > Hi John, all-- > > On 09/14/2013 09:46 PM, John Clizbe wrote:. > > clearly i think that such data should neither propagate on the > keyservers nor be accepted or transmitted by the clients. Both sides of > the transaction should be actively filtering to minimize unwanted data > leakage.
I think we're singin' outta the same hymnal now >> >> My compromise suggestion of trying to DTRT but with minimum harm is in the >> case of 1, where signing key != signed key, strip the non-exportable sig >> before we import into the key store. >> >> In the case of 2, where signing key == signed key (lsign your own key) we >> have >> a user either intentionally or accidentally shooting himself in the crypto >> foot. We can a) hold our noses and accept the key, or b) reject the entire >> key >> as malformed -- there is no way to honor the no-export sig flag and still >> have >> a valid key. >> >> Another possibility is that if there are earlier or later exportable >> selfsig(s), just strip the errant selfsig with the no-export flag. > > I favor (b), but getting that to happen would require SKS to actually > reject OpenPGP User IDs which have no selfsigs. This is not currently > the case for sks 1.1.4. > > I believe the attached patch (also pushed to > https://bitbucket.org/dkgdkg/sks-keyserver/) implements this additional > verification. Again, my ocaml is in its infancy, so i would welcome any > sanity checking, and any advice about what i could do better in the code. Infancy? You jest LOL > (there is one other fix published in my bitbucket hg repository which is > a minor documentation cleanup). > > Please let me know what you think about these two changes. 1) You're running the changed code on your server? 2) CHANGELOG - Properly filter local signatures which were not intended to be exportable 3) A quick perusal -- they look good Dan, it's OK to reply off-list on this. -- John P. Clizbe Inet: John (a) Gingerbear DAWT net SKS/Enigmail/PGP-EKP or: John ( @ ) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels"
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
