David Shaw on Sun, 6 Jul 2003 20:23:44 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] What keyserver to use?

On Sat, Jul 05, 2003 at 11:15:19PM -0400, gabriel rosenkoetter wrote:

> [1] Definiton 2 of "handy": security risk. Automatically downloading
> things is almost always a bad idea. There's no more reason to assume
> that gpg doesn't contain a buffer flow than there is to assume that
> Microsoft Outlook doesn't. Now, gpg is probably a little bit more
> careful with the data it retrieves from a keyserver... but still. Be
> conscious of what you're having your software do for you.

What are you saying... that software might have **bugs** ?  Horrors!

For what it is worth, GnuPG 1.4 has no keyserver access code in the
main gpg program, and does it all via helper applications (1.2.x does
this only partially).  That doesn't eliminate the possibility of a
remote compromise, of course, but does make it a little bit harder for
a few reasons.

Automatic key retrieval has another interesting security implication.
If you think about it, key retrievals make a pretty decent "web bug"
for the keyserver operator.


Attachment: pgpmYfr3vlHPf.pgp
Description: PGP signature