| David Shaw on Sun, 6 Jul 2003 20:23:44 -0400 |
|
On Sat, Jul 05, 2003 at 11:15:19PM -0400, gabriel rosenkoetter wrote: > [1] Definiton 2 of "handy": security risk. Automatically downloading > things is almost always a bad idea. There's no more reason to assume > that gpg doesn't contain a buffer flow than there is to assume that > Microsoft Outlook doesn't. Now, gpg is probably a little bit more > careful with the data it retrieves from a keyserver... but still. Be > conscious of what you're having your software do for you. What are you saying... that software might have **bugs** ? Horrors! ;) For what it is worth, GnuPG 1.4 has no keyserver access code in the main gpg program, and does it all via helper applications (1.2.x does this only partially). That doesn't eliminate the possibility of a remote compromise, of course, but does make it a little bit harder for a few reasons. Automatic key retrieval has another interesting security implication. If you think about it, key retrievals make a pretty decent "web bug" for the keyserver operator. David Attachment:
pgpmYfr3vlHPf.pgp
|
|