Wichert Akkerman <[EMAIL PROTECTED]> writes: > Previously Florian Weimer wrote: > > With GnuPG 1.0.4, the web of trust can be compromised by an attacker, > > How?
GnuPG 1.0.4 automatically assigns ultimate trust to public keys if a corresponding private key is present in the private key ring. When a key ring is imported, public keys are added to the public key ring, and private keys to the private key ring, without any confirmation by the user. Usually, key rings are distributed over an insecure channel, and we have to assume an attacker can inject suitably chosen private keys, public keys, and key signatures. When the victim imports a tampered key ring, he also imports ultimately trusted keys without any warning. The ultimately trusted key can sign any other key and raise the computed trust to the maximum, thus the victim's web of trust is compromised. Starting with 1.0.5, GnuPG no longer automatically imports private keys. I first thought that this problem is pretty academic, but when you think of it, it's quite scary, because it affects the core of GnuPG, the web of trust. > > and there's a pretty severe problem with detached signature > > verification. > > That was fixed months ago, check the changelog. Sorry. -- Florian Weimer [EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
