Page MenuHome GnuPG
Create Task
Maniphest T1738

Disable importing V3 keys from keyservers
Closed, ResolvedPublic
Actions

Description

The 0xdeadbeef attack still works; this makes Tomanek's keyserver import filter
essentially useless. If you'd like a PoC, there is a keyserver that generates V3 keys
with spoofed keyids on demand available at
https://github.com/coruus/cooperpair/tree/master/keysteak

A patch to HEAD is attached; it could use some testing. (I can provide an actually-
well-tested patch against 1.x if you would like, but I know you prefer to backport at
this point.)

Even better would be to disable importing V3 keys entirely, and perhaps require that an
option be set explicitly to use them. This was suggested on the OpenPGP list:
http://www.ietf.org/mail-archive/web/openpgp/current/msg00366.html

Related Objects

Event Timeline

coruus added a project: Bug Report.Oct 9 2014, 11:47 PM
coruus added a subscriber: coruus.

D268: 518_0001-Disable-importing-V3-or-older-public-keys-from-keyse.patch

coruus added a comment.Oct 10 2014, 3:42 PM

Fixed patch; previous version included an extra translatable string. And lacked a
semicolon.

coruus added a comment.Oct 10 2014, 3:42 PM

D267: 519_0001-Disable-importing-V3-or-older-public-keys-from-keyse.patch

werner added a subscriber: werner.Oct 12 2014, 7:19 PM

Note:
Please refer to the ongoing discussion on gnupg-devel.

werner added a comment.Oct 25 2014, 2:51 PM

All PGP 2 support (v3 keys) has been removed from master (2.1). Thus I consider
solved.

werner closed this task as Resolved.Oct 25 2014, 2:51 PM
werner claimed this task.