On Thursday 01 October 2009, Daniel Kahn Gillmor wrote: > On 09/30/2009 05:32 PM, Ingo Klöcker wrote: > > Hmm, AFAIU, for someone who does not blindly certify such keys this > > shouldn't be a problem since those malicious keys wouldn't be valid > > and thus wouldn't take preference over a valid key ... unless > > somebody else this person trusts is trying to screw them. > > The current gpg behavior is to use the first key with a matching User > ID, regardless of the validity of that User ID. So this causes (at > best) warnings and alerts about using an invalid key or (at worst) > lets someone with marginal ownertrust abuse the user by taking > precedence over a fully-trusted certification if the keyring happens > to be ordered in a certain way.
Indeed. That's a weird policy. Regards, Ingo
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
