[Mailman-Developers] GSoC Updates
Stephen J. Turnbull
stephen at xemacs.org
Wed Aug 21 21:29:58 CEST 2013
Daniel Kahn Gillmor writes:
> On 08/14/2013 04:35 AM, Stephen J. Turnbull wrote:
> > Python 2.7.5 (default, Aug 1 2013, 23:58:20)
> >>>> from gnupg import GPG
> >>>> gpg = GPG(gnupghome='/Users/steve/.gnupg',keyring='test-pub',secret_keyring='test-sec')
> >>>> crypted = gpg.encrypt(u'A bit of random text.', u'stephen at xemacs.org', always_trust=True)
> hmm, always_trust=True is probably problematic
Of course it is, but I was working with a test keyring.
> -- if someone manages to inject another key with the associated
> User ID earlier into gpg's keyring, then their key will be used
> before the correct key.
This is an argument for validity checks on the keyring. The
alternative is keeping the email-to-fingerprint mapping in the User
database, which is *not* designed for crypto validation. I see no
reason to suppose it's easier to attack the keyring that the User
database.
> fortunately, in the current implementation we're only worrying about
> signing, not encryption; so the relevant issue is the choice of secret
> key, and we don't expect other users to be able to inject data into the
> secret keyring, so this shouldn't be a concern. right?
I don't think it's a major concern, period. True, encryption uses the
public key, which may be downloaded from a keyserver or entered from
the web, making injection attacks plausible. So what? What's the
alternative given that the raison d'etre of Mailman is to give users
control over their profiles?
Note that I don't deny that there are real security issues here, and
that in some contexts they are important. But if they are, I have to
wonder if Mailman isn't much too complicated to be trusted anyway.
Steve
More information about the Mailman-Developers
mailing list