Bug 21889
Summary: | Web of trust circumvention by secret key distribution | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Daniel Roesen <dr> |
Component: | gnupg | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED ERRATA | QA Contact: | Aaron Brown <abrown> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 7.0 | CC: | courfeyrak, jarno.huuskonen, redhat |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2000-12-20 16:58:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 21498 | ||
Bug Blocks: |
Description
Daniel Roesen
2000-12-07 12:16:44 UTC
From: Werner Koch <wk> To: gnupg-devel Subject: Re: BUG: Web of trust circumvention by secret key distribution Date: Thu, 7 Dec 2000 11:47:28 +0100 On Thu, 7 Dec 2000, Florian Weimer wrote: > GnuPG accepts secret keys from key servers. This means that a secret > key can be added to the secret key ring without user intervention, > making the corresponding public key ultimately trusted and thus Agreed. > A similiar problem exists with "--import". IMHO, a separate > "--import-secret-key" option is needed, and secret keys downloaded The new option is called --allow-secret-key-import and works for all import sources. Implementing a --import-secret-key (which might imply that public keys are not imported) is diddicult, so we us this option. Should show up on CVS RSN. Werner OK, now we have _two_ severe security bugs in GnuPG. When can we expect an update? Bug #21498 is now pending for about a week since patch availabilit - without any reaction. |